CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Google Chrome Zero-Day Exploits in Skia and V8 Engine

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Timeline

  1. 13.03.2026 08:56 2 articles · 13h ago

    Google Patches Two Actively Exploited Chrome Zero-Days

    Google has released emergency updates for Chrome to patch two zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that are being actively exploited in the wild. The first vulnerability is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second vulnerability is an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Google discovered and patched both vulnerabilities within two days of reporting, releasing updates for Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft March 2026 Patch Tuesday Addresses 2 Zero-Days and 84 Flaws

Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update.

Open in new tab

CVE-2026-2441: Chrome Zero-Day Exploited in the Wild

Google has released a patch for a high-severity use-after-free vulnerability (CVE-2026-2441) in Chrome's CSSFontFeatureValuesMap, which is actively being exploited. The flaw, discovered by Shaheen Fazim, allows remote attackers to execute arbitrary code within a sandbox via crafted HTML pages. Users are advised to update to versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. This is the first actively exploited zero-day in Chrome for 2026, highlighting the ongoing threat of browser-based vulnerabilities. The vulnerability was disclosed to the vendor on February 11, 2026, only two days before it was patched. The flaw can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website, although an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover. The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating its importance and urgency. The commit message notes that the patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed. The update was published on February 13, 2026, and accompanied by an advisory on CVE-2026-2441. Google has restricted access to bug details and links until a majority of users are updated with a fix. Google released eight emergency patches for Chrome in 2025 to protect against actively exploited vulnerabilities.

Open in new tab

Cisco Unified Communications RCE Zero-Day Exploited in Attacks

Cisco has patched a critical remote code execution vulnerability (CVE-2026-20045) in its Unified Communications and Webex Calling products, which has been actively exploited in attacks. The flaw, with a CVSS score of 8.2, allows attackers to gain user-level access and escalate privileges to root on affected systems. Cisco has released patches for various versions of the impacted products and urged customers to update immediately. The U.S. CISA has added the vulnerability to its KEV Catalog, requiring federal agencies to patch by February 11, 2026.

Open in new tab

High-Severity Flaws Patched in Firefox 145 and Chrome 142

Mozilla and Google released updates for Firefox and Chrome, addressing multiple high-severity vulnerabilities. Firefox 145 fixes 16 flaws, including nine high-severity issues, while Chrome 142 resolves a critical V8 JavaScript engine flaw. Both updates include improvements to security and functionality.

Open in new tab