💻 AppSec

Google Patches Two Actively Exploited Chrome Zero-Days — CISA Orders Federal Agencies to Update by 27 March

Google released an emergency Chrome update on 13 March addressing two zero-day vulnerabilities — an out-of-bounds write in Skia and a V8 sandbox escape — both confirmed as exploited in the wild. CISA added both to the Known Exploited Vulnerabilities catalogue the same day with a 27 March federal remediation deadline.

4 min read
#zero-day#chrome#browser-security#cisa-kev#actively-exploited#google#skia#v8

Google shipped an emergency out-of-band security update for Chrome on 13 March 2026, patching two zero-day vulnerabilities actively exploited in targeted attacks. Both CVEs were added to the CISA Known Exploited Vulnerabilities catalogue on the same day, with a federal agency remediation deadline of 27 March. Organisations deploying Chrome at enterprise scale — and those relying on Chromium-based browsers including Edge, Brave, and Opera — should treat this update as urgent.

The Two Vulnerabilities

CVE-2026-3909 — Skia Out-of-Bounds Write (CVSS 8.8 HIGH)

The first flaw is an out-of-bounds memory write in Skia, Chrome’s open-source 2D graphics rendering library. Out-of-bounds writes in Skia have historically been reliable primitives for renderer process compromise: an attacker crafts a malicious web page that triggers the write, corrupting adjacent heap memory in a controlled fashion sufficient to achieve arbitrary code execution within the sandboxed renderer context. From there, a second vulnerability — such as a sandbox escape — is typically chained to reach full OS-level execution.

CVE-2026-3910 — V8 Inappropriate Implementation

The second vulnerability resides in V8, Chrome’s JavaScript and WebAssembly engine. The “inappropriate implementation” categorisation — Google’s term when a component behaves in an unsafe manner that isn’t strictly a memory safety issue — indicates that V8 can be coerced into a state that allows escaping the renderer sandbox. V8 sandbox escapes are particularly valuable to attackers because they break the architectural containment that Chrome’s multi-process model provides: a fully weaponised chain combining CVE-2026-3909 and CVE-2026-3910 achieves arbitrary code execution on the underlying OS without any additional user interaction beyond loading a malicious page.

Exploitation Context

Google confirmed that both vulnerabilities were exploited in the wild before the patch was released, but declined to provide additional detail about threat actors or targeting — a standard posture until user populations have had time to update. The timing and nature of the bugs (renderer + sandbox escape chain targeting a major browser) is consistent with targeted attack patterns seen from both commercial spyware operators and nation-state actors conducting espionage campaigns.

The patched version is Chrome 146.0.7680.75 (Linux/Mac) and 146.0.7680.76 (Windows). Chromium-based browsers typically follow Google’s patch within 24–72 hours; check vendor-specific advisories for Edge (Microsoft), Brave, and Opera.

Affected Scope

Any Chrome installation prior to 146.0.7680.75/76 on Windows, macOS, and Linux is affected. Chrome on iOS and Android uses different rendering infrastructure and is covered by separate security advisories.

Enterprise environments using Chrome via Google Workspace or MSI/PKG deployment should validate that auto-update is enabled and that update policies have not been locked to an older channel. Extended Stable channel users should note that the fix may land on a delayed schedule.

  • Update Chrome immediately to 146.0.7680.75 (Linux/Mac) or 146.0.7680.76 (Windows). Navigate to chrome://settings/help to force a check. Restart is required for the update to take effect.
  • Verify Chromium-based browser updates: Microsoft Edge, Brave, Opera, and other Chromium derivatives are affected — confirm each has shipped a corresponding patch.
  • Check enterprise deployment tools: If Chrome is managed via Google Workspace Admin, Intune, or GPO, validate that the update has been distributed and applied across the estate. Pull a compliance report before the CISA deadline of 27 March.
  • Review browser isolation policies: For high-risk endpoints (executive devices, developer workstations with privileged access), consider enabling Chrome’s Site Isolation feature (chrome://flags/#enable-site-per-process) if not already enforced at policy level, to add depth to the renderer containment model.
  • FCEB agencies: Remediation is mandatory by 27 March 2026 per CISA Binding Operational Directive 22-01.

Broader Context

This is the second pair of Chrome zero-days in 2026, following two earlier browser exploitation events in January. The persistence of in-the-wild Chrome exploitation reflects its position as the world’s dominant browser: patching Chrome is not optional maintenance — it is an active threat mitigation task with a short window between patch release and weaponised exploit availability. Organisations that rely on manual update processes or lag behind Chrome’s stable channel by more than a few days are routinely operating with known, actively exploited vulnerabilities in their estate.

Share this article