Less than a month after Google patched CVE-2026-2441, the company is back with another emergency update. This time there are two vulnerabilities: CVE-2026-3909 and CVE-2026-3910, both actively exploited in the wild, both carrying a CVSS score of 8.8, and both now sitting in CISA's Known Exploited Vulnerabilities catalog as of March 13, 2026.
That's three Chrome zero-days in roughly four weeks. If your organization still treats browser patching as a monthly maintenance item, this is the moment to reassess that.
What These Vulnerabilities Actually Are
These are not the same class of bug. They hit two different subsystems, and attackers are chaining them together.
CVE-2026-3909: Out-of-Bounds Write in Skia
Skia is the 2D graphics library that Chrome uses to render everything you see on screen. An out-of-bounds write vulnerability means an attacker can cause Chrome to write data beyond the bounds of an allocated memory buffer. In practice, that gives an attacker control over adjacent memory, which is typically a prerequisite for running arbitrary code on the victim's machine.
The attack vector is a crafted HTML page. Someone visits a URL, and Chrome's graphics engine processes malicious content that triggers the write. No file download. No macro. Just a page load.
CVE-2026-3910: Inappropriate Implementation in V8
V8 is Chrome's JavaScript and WebAssembly engine. This vulnerability is classified as an "inappropriate implementation" flaw, meaning the logic inside V8 can be abused to execute arbitrary code within Chrome's sandbox via a crafted HTML page.
Because these bugs hit different subsystems, security researchers have noted they could theoretically be chained: one to gain execution inside the sandbox, the other to break out. That combination would be significantly more dangerous than either vulnerability alone. Google has confirmed that exploits for both vulnerabilities exist in the wild, though the full details of how they are being deployed have not been publicly disclosed.
Both vulnerabilities were discovered and reported by Google's own security team on March 10, 2026. The fact that Google's internal researchers found these suggests they were already seeing exploitation before the public patch dropped.
The CISA KEV Deadline
CISA added both CVEs to the KEV catalog on March 13, 2026, and set a remediation deadline of March 27, 2026 for federal agencies under Binding Operational Directive 22-01. That's a 14-day window from disclosure to mandated patch.
If you're in the private sector, BOD 22-01 doesn't technically apply to you. But the KEV catalog is one of the most reliable signals we have that a vulnerability is being actively weaponized right now. CISA doesn't add bugs to the list on speculation. If it's in KEV, real targets have been hit.
What You Need to Patch
Update Chrome to the latest available version. Any installation that hasn't received a recent update is potentially exposed. Microsoft Edge, which shares Chrome's Chromium engine, is also affected. Check edge://settings/help and update to the latest available version.
If your organization runs any Chromium-based browser, including Chrome, Edge, Brave, or Opera, you need to verify it's updated. "Chromium-based" is the key phrase. They all share the same underlying engine, and many of them inherit these vulnerabilities until they ship their own updates.
To verify Chrome on any machine:
- Open Chrome and navigate to chrome://settings/help
- Chrome will check for updates automatically on that screen
- Apply any available update and confirm Chrome relaunches on the latest version
The Pattern Nobody Wants to Talk About
Three Chrome zero-days in four weeks is not noise. It's a signal that someone is investing serious resources into browser exploitation right now.
From a pentester's perspective, this tracks with something I've seen for years: the browser is the softest perimeter most organizations have. Your firewall might be locked down. Your VPN might require MFA. But Chrome runs on every workstation, touches every web application, stores session tokens for your cloud services, and most organizations have no visibility into what it's doing.
When a zero-day targets Chrome, the blast radius is enormous. A single compromised browser session can hand an attacker:
- Saved credentials and autofill data
- Active session tokens for cloud applications (Microsoft 365, Google Workspace, your EHR, your banking portal)
- Access to internal web apps that assume network location equals trust
- A foothold on the endpoint itself, which becomes the pivot point for everything that follows
This is why CISA is treating browser patching like critical infrastructure. The rest of the industry is catching up.
What Good Browser Patching Actually Looks Like
Most organizations are still relying on Chrome's auto-update mechanism and hoping for the best. That approach is not a patch management program. It's a wish.
A functional browser patching process has a few requirements. First, you need visibility: an endpoint management tool (Intune, SCCM, Jamf for Mac shops) that can report which version of Chrome is running on every machine right now. Without that, you're flying blind.
Second, you need enforcement. Auto-update gets you eventually. For a KEV-listed zero-day, "eventually" is not good enough. You need the ability to push a browser update to your entire fleet and confirm it applied within hours, not days.
Third, you need a process for Chromium-based browsers beyond Chrome. If your organization uses Edge as the default browser but has Chrome installed as a secondary, both need to be tracked and patched. Unmanaged software is where attackers look first.
What This Means for Your Security Program
If your security team is scrambling to verify Chrome versions right now in response to this post, that's a gap worth naming. The scramble itself tells you something about your patching visibility.
A penetration test can surface exactly this kind of structural weakness before an attacker does. Not just "is Chrome patched today" but "do you have the process to patch it tomorrow, and the day after, every time Google ships an emergency update?" Increasingly, that's every few weeks.
The threat landscape has shifted. Browser zero-days are no longer rare events that your patching process can absorb at a comfortable pace. They are now a recurring operational reality that require the same urgency and process discipline as any other critical system in your environment.
Is Your Patching Process Built for This?
Zio Security can assess your vulnerability management program, identify the gaps attackers would find first, and help you build a process that holds up when the next zero-day drops. Let's talk.
Schedule a Vulnerability Assessment