Chrome Skia and V8 exploited zero-days (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Chrome on Windows, macOS, and Linux is affected by two high-severity zero-days, CVE-2026-3909 and CVE-2026-3910, that Google says were exploited in the wild. One flaw is an out-of-bounds write in Skia that can trigger out-of-bounds memory access from a crafted HTML page. The other is an inappropriate implementation issue in V8 that can enable arbitrary code execution inside a sandbox from a crafted HTML page. Google shipped fixes in 146.0.7680.75/76 and urged users to update immediately because the bugs were already being abused.
Related Happenings
Opera GX browser GX Mods auto-install CSS injection patched security flaw
Vulnerability
H score21
First: 06.07.2026 17:15
Last: 06.07.2026 17:15
Sources 1
About this happening:
A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...
Opera GX browser GX Mods auto-install CSS injection patched security flaw
VulnerabilityAbout this happening: A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...
Opera GX silent mod-install XS-Leak security flaw
Vulnerability
H score19
First: 06.07.2026 10:27
Last: 06.07.2026 10:27
Sources 1
About this happening:
**Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...
Opera GX silent mod-install XS-Leak security flaw
VulnerabilityAbout this happening: **Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
Vulnerability
H score45
First: 09.06.2026 09:56
Last: 09.06.2026 09:56
Sources 1
About this happening:
**Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
VulnerabilityAbout this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
ExploitBench benchmark shows frontier AI models can stage Chrome exploit chains against vulnerable V8 builds
Technical Analysis
H score16
First: 04.06.2026 16:00
Last: 04.06.2026 16:00
Sources 1
About this happening:
Bugcrowd’s **ExploitBench** now shows frontier AI models can progress through staged **Google Chrome** exploit chains, raising the risk of faster **AI-assisted exploit development...
ExploitBench benchmark shows frontier AI models can stage Chrome exploit chains against vulnerable V8 builds
Technical AnalysisAbout this happening: Bugcrowd’s **ExploitBench** now shows frontier AI models can progress through staged **Google Chrome** exploit chains, raising the risk of faster **AI-assisted exploit development...
Chromium JavaScript background RCE flaw
Vulnerability
H score16
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Timeline
-
13.03.2026 02:00 1 articles · 3mo ago
Google discovers and reports Chrome zero-days CVE-2026-3909 and CVE-2026-3910
Initial DisclosureGoogle discovered and reported CVE-2026-3909 in the Skia 2D graphics library and CVE-2026-3910 in the V8 JavaScript and WebAssembly engine on March 10, 2026; both flaws were later described as high-severity Chrome vulnerabilities exploited in the wild via crafted HTML pages.
Show sources
- Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 — thehackernews.com — 13.03.2026 11:17
-
13.03.2026 02:00 2 articles · 3mo ago
Google releases Chrome fixes for CVE-2026-3909 and CVE-2026-3910
Mitigation Patch UpdateGoogle released Chrome security updates to address CVE-2026-3909 and CVE-2026-3910, urging users to relaunch after updating to 146.0.7680.75/76 on Windows and macOS or 146.0.7680.75 on Linux.
Show sources
- Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 — thehackernews.com — 13.03.2026 11:17
- Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 — thehackernews.com — 13.03.2026 11:17