Google has issued an emergency security update for Chrome to address CVE-2026-3910, a zero-day vulnerability in the browser's V8 JavaScript and WebAssembly engine that is being actively exploited in the wild.
The vulnerability represents a high-severity flaw that could allow attackers to execute arbitrary code within the browser sandbox through specially crafted HTML pages. This means cybercriminals can potentially compromise systems simply by tricking users into visiting malicious or compromised websites.
The emergency patch addresses two critical vulnerabilities simultaneously. Alongside CVE-2026-3910, Google also fixed CVE-2026-3909, an out-of-bounds write vulnerability in the Skia graphics library that is also under active exploitation.
%20(1)%20(1).webp)
This latest zero-day discovery continues a concerning trend in browser security threats. The vulnerability comes after Google previously patched CVE-2026-2441 earlier this year, which was identified as the first actively exploited Chrome zero-day of 2026.
The threat landscape for zero-day vulnerabilities has intensified significantly. According to Google Threat Intelligence Group data, researchers tracked 90 zero-days exploited in the wild during 2025, representing an increase from 78 documented cases in 2024. Particularly alarming is that enterprise technologies accounted for 43 cases, or a record 48% of observed exploitation activity.
The V8 engine vulnerability poses substantial risks for enterprise environments where Chrome is deeply integrated into daily operations. Since V8 processes active content during normal browsing sessions, exploitation can begin through routine web activities, potentially leading to credential theft, malicious code deployment, or broader network compromise when combined with other attack vectors.
Google has confirmed that CVE-2026-3910 is being exploited in active attack campaigns but has not released technical details about the specific exploitation methods to prevent further abuse.
Immediate remediation requires updating Chrome to the latest patched versions. The fixed desktop builds include versions 146.0.7680.75 and 146.0.7680.76 for Windows and macOS systems, and 146.0.7680.75 for Linux distributions.
Given the confirmed in-the-wild exploitation, organizations should prioritize deploying these updates across all employee endpoints, administrator workstations, and shared systems used for web browsing activities.
Organizations using Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi should also monitor for corresponding security patches from their respective vendors, as these browsers share underlying Chrome components that may be affected by similar vulnerabilities.
Security teams should monitor for indicators of compromise and implement additional protective measures while patches are being deployed across enterprise environments.