Find notable cyber news and cases, enriched with sources, timelines, and signals.

Chrome Skia and V8 exploited zero-days (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

Chrome on Windows, macOS, and Linux is affected by two high-severity zero-days, CVE-2026-3909 and CVE-2026-3910, that Google says were exploited in the wild. One flaw is an out-of-bounds write in Skia that can trigger out-of-bounds memory access from a crafted HTML page. The other is an inappropriate implementation issue in V8 that can enable arbitrary code execution inside a sandbox from a crafted HTML page. Google shipped fixes in 146.0.7680.75/76 and urged users to update immediately because the bugs were already being abused.

Related Happenings

Opera GX browser GX Mods auto-install CSS injection patched security flaw

Vulnerability
H score21 First: 06.07.2026 17:15 Last: 06.07.2026 17:15 Sources 1

About this happening: A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...

Opera GX silent mod-install XS-Leak security flaw

Vulnerability
H score19 First: 06.07.2026 10:27 Last: 06.07.2026 10:27 Sources 1

About this happening: **Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...

Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)

Vulnerability
H score45 First: 09.06.2026 09:56 Last: 09.06.2026 09:56 Sources 1

About this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...

ExploitBench benchmark shows frontier AI models can stage Chrome exploit chains against vulnerable V8 builds

Technical Analysis
H score16 First: 04.06.2026 16:00 Last: 04.06.2026 16:00 Sources 1

About this happening: Bugcrowd’s **ExploitBench** now shows frontier AI models can progress through staged **Google Chrome** exploit chains, raising the risk of faster **AI-assisted exploit development...

Chromium JavaScript background RCE flaw

Vulnerability
H score16 First: 21.05.2026 21:13 Last: 21.05.2026 21:13 Sources 1

About this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...

Timeline

  1. 13.03.2026 02:00 1 articles · 3mo ago

    Google discovers and reports Chrome zero-days CVE-2026-3909 and CVE-2026-3910

    Initial Disclosure

    Google discovered and reported CVE-2026-3909 in the Skia 2D graphics library and CVE-2026-3910 in the V8 JavaScript and WebAssembly engine on March 10, 2026; both flaws were later described as high-severity Chrome vulnerabilities exploited in the wild via crafted HTML pages.

    Show sources
  2. 13.03.2026 02:00 2 articles · 3mo ago

    Google releases Chrome fixes for CVE-2026-3909 and CVE-2026-3910

    Mitigation Patch Update

    Google released Chrome security updates to address CVE-2026-3909 and CVE-2026-3910, urging users to relaunch after updating to 146.0.7680.75/76 on Windows and macOS or 146.0.7680.75 on Linux.

    Show sources