Google has issued a security alert for Chrome users over two zero-day vulnerabilities that have been actively exploited. The company released updates this month to patch both CVE-2026-3909 and CVE-2026-3910, with CVE-2026-3909 later addressed separately. Chrome currently serves around 3.5 billion users, according to Forbes.
Since 2023, weekly security updates have become standard, but when Google releases a second security update for the Chrome browser just two days after the first, it indicates a significant issue. Indeed, Google has acknowledged the presence of at least two zero-day vulnerabilities affecting Chrome users and has confirmed that exploits are already in circulation.
Google has rolled out emergency security updates for Chrome to fix two serious zero-day vulnerabilities currently being exploited in the wild. The first, CVE-2026-3909, affects Skia, the graphics framework Chrome uses to render web pages, and could allow attackers to crash the browser or execute malicious code. The second, CVE-2026-3910, involves the V8 engine that powers JavaScript and WebAssembly.
The patches are being deployed to Windows, macOS, and Linux users via the Stable Desktop channel, but it may take several days for all 3.5 billion users to receive the update. Google warns that simply visiting a malicious website could trigger these exploits and urges users to update Chrome immediately or enable automatic updates.
These vulnerabilities mark the second and third actively exploited Chrome zero-days in 2026, following a similar flaw patched in February. Google continues to restrict detailed bug information until the majority of users are updated to prevent further attacks.
A zero-day attack refers to a cyber assault that takes advantage of a software or hardware flaw that the vendor is unaware of, leaving 'zero days' to address it. Since no patch or defense is available, attackers exploit these vulnerabilities to steal information, install malware, or gain unauthorized access before developers can close the security loophole.