Google Releases Emergency Update for Two Actively Exploited Chrome Zero-Days (CVE-2026-3909, CVE-2026-3910)

Executive Summary

On February 12, 2026, Google released an emergency security update for the Chrome web browser, patching two high-severity zero-day vulnerabilities that are under active exploitation. The vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, both carry a CVSS score of 8.8 and can lead to arbitrary code execution. The flaws reside in the Skia 2D graphics library and the V8 JavaScript engine, respectively. Given that Google has confirmed active exploits "in the wild," immediate patching is critical for all Chrome users and users of other Chromium-based browsers to prevent compromise.

Vulnerability Details

This emergency update addresses two distinct high-severity flaws:

• CVE-2026-3909 (CVSS 8.8): This is an out-of-bounds write vulnerability in the Skia 2D graphics library. An attacker can craft a malicious HTML page that, when processed by the victim's browser, triggers a write outside the boundaries of an allocated memory buffer. This can lead to corruption of sensitive data, a crash, or arbitrary code execution within the context of the browser's sandboxed process.

• CVE-2026-3910 (CVSS 8.8): This is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. This type of flaw typically arises from incorrect logic or faulty implementation of a feature, which an attacker can exploit via a specially crafted HTML page. Successful exploitation allows a remote attacker to execute arbitrary code within the V8 sandbox, which could potentially be chained with another vulnerability to escape the sandbox and compromise the underlying system.

Affected Systems

The vulnerabilities affect Google Chrome versions prior to the patched releases. Users should update immediately.

• Google Chrome: Versions before 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux.
• Other Chromium-based Browsers: Users of browsers such as Microsoft Edge, Brave, and Vivaldi should monitor for and apply corresponding security updates from their respective vendors as they are released.

Exploitation Status

Google has explicitly stated, "is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild." This confirms that threat actors are actively using these vulnerabilities in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is expected to add both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, mandating patching for federal agencies.

Impact Assessment

Successful exploitation of either vulnerability allows an attacker to execute arbitrary code on a victim's machine by tricking them into visiting a malicious website. While this code execution is initially contained within the browser's sandbox, attackers often chain such exploits with a sandbox escape vulnerability (T1068 - Exploitation for Privilege Escalation) to gain full control over the compromised system. This could lead to the installation of malware, ransomware, spyware, or the theft of sensitive information.

Detection Methods

• Version Scanning: Use asset management or vulnerability scanning tools to identify all endpoints running vulnerable versions of Google Chrome or other Chromium-based browsers.
• Endpoint Monitoring: Monitor for suspicious child processes spawned by browser processes (chrome.exe, msedge.exe). For example, a browser process spawning cmd.exe or powershell.exe is highly anomalous and warrants investigation. This aligns with D3FEND's Process Analysis (D3-PA).
• Network Analysis: While difficult due to encryption, monitor for browser processes making network connections to known malicious domains or IP addresses. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).

Remediation Steps

Immediate patching is the only effective remediation.

1. Update Google Chrome: Navigate to chrome://settings/help in the browser to trigger the automatic update check and restart the browser to apply the patch.
2. Update Other Browsers: For users of Microsoft Edge, Brave, Vivaldi, etc., check for updates within the browser's settings menu and apply them as soon as they are available.
3. Enable Automatic Updates: Ensure that automatic updates are enabled for all web browsers to ensure timely patching against future zero-day vulnerabilities. This is a key component of D3FEND's Software Update (D3-SU).