Two new serious vulnerabilities in the world's most popular web browser, Google Chrome, are under attack at the moment and should be patched as soon as possible, the United States Cybersecurity and Infrastructure Security Agency (CISA) said.
Both are confirmed by Google, and affect some 3.5 billion Chrome users.
CISA has now added the bugs to its Known Exploited Vulnerabilities (KEV) catalogue, which lists bugs that US federal agencies must patch.
Google updated Chrome last week, but had to add patches for the two vulnerabilities, indexed as CVE-2026-3909 and CVE-2026-3910 respectively, 48 hours later.
Technical details of the bugs are still withheld by Google, whose own researchers reported the vulnerabilities, but the first one is said to be an out-of-bounds memory write issue in the Skia 2D graphics rendering library.
The V8 JavaScript engine is also being exploited by unknown attackers.
They could the trigger the V8 vulnerability by simply crafting malicious web pages for users to visit, and execute arbitrary code inside the browser's sandbox context.
⚠️Today's browser update (v1.88.130) contains fixes for Chromium vulnerabilities found to be exploited in the wild.
— Brave (@brave) March 13, 2026
You may have received the automatic Brave update already. If not, you can manually update by visiting 'About Brave' from the browser's ☰ menu.
The Android…
Other browsers based on the open source Chromium engine, such as Opera, Microsoft Edge and Brave should also be updated as soon as possible.
As of writing, there is no indication as to who is behind the exploitation of the zero-day vulnerabilities.
_(36).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
