Google has released emergency security updates for its Chrome web browser to address two high-severity zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that are currently being actively exploited in the wild.
The Vulnerabilities
While Google has restricted exact technical details until a majority of users are updated, early analysis indicates that the flaws involve memory corruption issues within the V8 JavaScript engine and WebRTC components.
Specifically, CVE-2026-3909 allows a remote, unauthenticated attacker to execute arbitrary code within the context of the browser by tricking the user into visiting a specially crafted webpage.
CISA Directive Issued
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring all federal civilian executive branch (FCEB) agencies to apply fixes by March 27, 2026.
Mitigation Action Required
Users are strongly advised to update Chrome to version 145.0.7428.100 for Windows/Mac and 145.0.7428.99 for Linux immediately. Chromium-based browsers such as Microsoft Edge, Brave, and Vivaldi are also expected to release patches quickly.