Two Chrome 146 zero-days in Skia and V8 were confirmed exploited in the wild
Contents
On March 13, 2026, Google released an emergency security update for Chrome. Two vulnerabilities were fixed, both rated CVSS 8.8 and both confirmed exploited in the wild. Google had found them internally on March 10 and shipped patches just three days later.
The two flaws
CVE-2026-3909: an out-of-bounds write in Skia
Skia is the graphics library responsible for 2D rendering in the browser, and it is widely used across Google Chrome, Android, Flutter, and Chromium-based browsers. Text rendering, image decoding, SVG drawing, and CSS effects all flow through Skia.
This bug allowed a remote attacker to write outside the bounds of memory through a crafted HTML page. Out-of-bounds write bugs (CWE-787) can overwrite adjacent data structures or pointers and are often a path to arbitrary code execution. MITRE ranked CWE-787 first in its “Top 25 Most Dangerous Software Weaknesses” in 2024 and kept it near the top in 2025 as well.
Because Skia sits deep in the rendering pipeline, successful exploitation can give the attacker memory manipulation beyond normal web content privileges. Google assigned it CVSS 8.8.
CVE-2026-3910: an inappropriate implementation in V8
V8 is Chrome’s JavaScript and WebAssembly engine, the core component that executes all JS running in the browser.
“Inappropriate implementation” is Chromium’s category for logic flaws rather than raw memory corruption. It can include type confusion, JIT optimization mistakes, or violations of internal API assumptions, and it can still lead to arbitrary code execution inside the sandbox. This one also received CVSS 8.8.
What makes a V8 bug especially dangerous is that a victim only has to open a malicious web page for the exploit to run. A single phishing link can be enough.
Google said both bugs were discovered internally on March 10, 2026 and reported the same day. The company also stated that active exploit code exists, but withheld details about the technique and the group behind it to avoid further abuse. Because the bugs were found internally, Google Threat Analysis Group probably discovered them while investigating targeted attacks, although Google did not explicitly say so.
The usual attack chain
The exact exploit method was not disclosed, but fixing Skia and V8 together is notable. Browser attacks usually chain multiple vulnerabilities: first a V8 bug to get code execution inside the sandbox, then another flaw to escape the sandbox. That two-step pattern is common.
graph TD
A[Attacker prepares a crafted web page] --> B[Victim visits the page]
B --> C[V8 bug yields arbitrary code execution inside the sandbox]
C --> D[Skia out-of-bounds write overwrites adjacent memory]
D --> E[Sandbox escape into a process outside the renderer]
E --> F[OS-level code execution, data theft, malware dropper]V8 alone keeps the attacker inside the sandbox, so the immediate impact is limited. But when combined with a low-level component bug such as Skia, a full attack chain becomes possible. We do not know whether the two flaws were chained together in the wild, but the same-day discovery and same-day patch strongly suggest a linked campaign.
Impact and patch versions
The patched Chrome builds are:
| OS | Version |
|---|---|
| Windows / macOS | 146.0.7680.75 or 146.0.7680.76 |
| Linux | 146.0.7680.75 |
You can check and apply the update from the Chrome menu under Help -> About Google Chrome. A restart is required.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the vendor patch once it is available. Because the Skia bug lives in the rendering pipeline, any browser sharing Chromium’s rendering engine is potentially affected.
Chrome zero-days in 2026
Chrome in-the-wild zero-days in 2026 so far:
| CVE | Component | Bug type | CVSS | Patch window |
|---|---|---|---|---|
| CVE-2026-2441 | CSS/Blink | use-after-free | 8.8 | February 2026 |
| CVE-2026-3909 | Skia | out-of-bounds write | 8.8 | March 2026 (this release) |
| CVE-2026-3910 | V8 | inappropriate implementation | 8.8 | March 2026 (this release) |
All three are rated CVSS 8.8, and all were patched within three days of discovery. Three zero-days in three months is roughly on pace with the 2025 annual rate of about 10.
CVE-2026-2441, fixed in February, was a use-after-free in Blink’s CSS engine and was also added to CISA’s Known Exploited Vulnerabilities catalog. February also saw an integer overflow in V8 (CVE-2026-2649), and March brought another zero-day in Mojo, Chrome’s inter-process communication system, used in a highly targeted campaign against Russian organizations.
Attackers keep spreading their focus across CSS, V8, Skia, and Mojo. Fixing one entry point does not stop them from trying another.
Related reading
- Chrome, VS Code, and Copilot security issues in one place - background on CVE-2026-2441, the CSS-engine use-after-free
- CISA adds four actively exploited vulnerabilities to the KEV catalog - CISA’s KEV addition for CVE-2026-2441
- CISA KEV roundup of major vulnerabilities - a deeper look at the structural Blink UAF issue
- Chrome 145-146 changes, including JPEG-XL and PQC migration - broader Chrome zero-day and platform changes in 2026