Chrome Zero-Day Flaw Exposed: Google Patches Two Critical Exploits Targeting Skia and V8

Google has issued emergency security patches for its Chrome browser, neutralizing two high-severity zero-day vulnerabilities actively exploited in the wild. The flaws, tracked as CVE-2026-3909 and another critical bug in the V8 JavaScript engine, represent a direct threat to millions of users worldwide. CVE-2026-3909 carries a CVSS score of 8.8 and stems from an out-of-bounds write vulnerability in the Skia 2D graphics library. This flaw enables remote attackers to execute out-of-bounds memory access through a carefully crafted HTML payload. The second vulnerability, residing in Chrome’s V8 engine, allows for arbitrary code execution when processing malicious JavaScript. Both exploits have been weaponized by threat actors, prompting Google’s rapid response. The tech giant’s security team confirmed the in-the-wild exploitation without disclosing specific attack details, maintaining operational secrecy around the threat landscape.

Reported by: Lyra Sterling

Lyra Sterling focuses on global economic shifts and digital assets.