{"id":15958,"date":"2026-03-13T19:56:16","date_gmt":"2026-03-13T19:56:16","guid":{"rendered":"https:\/\/newestek.com\/?p=15958"},"modified":"2026-03-13T19:56:16","modified_gmt":"2026-03-13T19:56:16","slug":"google-warns-of-two-actively-exploited-chrome-zero-days","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15958","title":{"rendered":"Google warns of two actively exploited Chrome zero days"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Threat actors are exploiting two high severity zero day vulnerabilities in the Chrome browser that experts say IT teams must patch immediately.<\/p>\n<p><a href=\"https:\/\/chromereleases.googleblog.com\/2026\/03\/stable-channel-update-for-desktop_12.html\">Google has issued emergency patches<\/a> for the two holes, CVE-2026-3909 and CVE-2026-3910.\u00a0This comes just days after the release of 29 fixes for holes as part of March Patch Tuesday, and <a href=\"https:\/\/www.csoonline.com\/article\/4132879\/exploit-available-for-new-chrome-zero-day-vulnerability-says-google.html\">a zero day patch released in February.<\/a> Affected are browsers before version 146.0.7680.75.<\/p>\n<p>These exploits provide yet another reason why infosec leaders need to ensure there\u2019s a corporate patching strategy in place for all authorized browsers and plugins.<\/p>\n<p>\u201cIf you\u2019re not managing browser patches, your odds of getting pwned are increasing daily,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/dbshipley\/\">David Shipley<\/a> of Canadian-based security awareness training provider Beauceron Security.\u00a0<\/p>\n<p><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-3910\">CVE-2026-3910<\/a> allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, because of an inappropriate implementation within Chrome\u2019s V8 JavaScript and WebAssembly engine. <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-3909\">CVE-2026-3909<\/a> allows a remote attacker to perform out of bounds memory access via a crafted HTML page;\u00a0the cause is an out of bounds write in Chrome\u2019s Skia graphics library.\u00a0Accessing browser memory could result in the loss of sensitive corporate information, noted Shipley.<\/p>\n<p>Following company policy, Google isn\u2019t releasing details about the bugs until a majority of users are updated with a fix.<\/p>\n<h2 class=\"wp-block-heading\" id=\"browsers-a-prime-target\">Browsers a prime target<\/h2>\n<p>Browsers are a prime target for threat actors because they are a tool everyone online uses.<a href=\"https:\/\/start.paloaltonetworks.com\/omdia-state-of-workforce-security\"> A 2025 report by Omdia for Palo Alto Networks<\/a> estimated that, in a 12 month period, 95% of organizations suffered a security incident originating from an employee\u2019s browser.<\/p>\n<p>Because of this, <a href=\"https:\/\/www.csoonline.com\/article\/4101173\/hardening-browser-security-with-zero-trust-controls.html\">one expert has noted<\/a> that adversaries now target the browser directly, with attacks like cross-site scripting (XSS), session hijacking via stolen tokens, and advanced phishing that bypasses traditional MFA. A browser-centric zero trust framework is the necessary response, he argued.<\/p>\n<p>[<a href=\"https:\/\/www.csoonline.com\/article\/573875\/secure-web-browsers-for-the-enterprise-compared-how-to-pick-the-right-one.html\">Related content: Picking a secure enterprise browser<\/a>]<\/p>\n<p>These new flaws underscore the reason why browser engines remain among the most attractive targets for attackers, noted <a href=\"https:\/\/www.linkedin.com\/in\/bicer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Jack Bicer<\/a>, director of vulnerability research at Action1. \u201cWith active exploitation already confirmed, organizations that delay updates risk exposing users to drive-by attacks delivered through compromised or malicious websites.\u201d<\/p>\n<p>Chromium and all Chromium-based browsers, including Chrome, Edge, and others, must be updated to the latest security versions as soon as possible, he said. Admins should also ensure that automatic updates are enabled across enterprise endpoints, monitor for outdated browser versions, and consider browser isolation technologies to reduce exposure to web-based attacks.<\/p>\n<p><a href=\"https:\/\/www.tenable.com\/profile\/scott-caveza\">Scott Caveza<\/a>, senior staff research engineer at Tenable, agreed that the latest two zero days should be on the radar of any organization where Chrome is actively installed. While Google hasn\u2019t provided details on the abuse of these flaws, he noted that most browser-related exploits do require a victim to visit a crafted website, making attacks more likely to be targeted.\u00a0<\/p>\n<p>Fortunately, he added, updating Chrome is fast and easy, and many installations leave automatic updates enabled.<\/p>\n<p>\u201cWe know attackers are opportunistic, and when they set their sights on one of the most widely installed browsers in the market, it\u2019s imperative that teams are taking action now to ensure updates are applied as soon as possible,\u201d he said.<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are exploiting two high severity zero day vulnerabilities in the Chrome browser that experts say IT teams must patch immediately. Google has issued emergency patches for the two holes, CVE-2026-3909 and CVE-2026-3910.\u00a0This comes just days after the release of 29 fixes for holes as part of March Patch Tuesday, and a zero day patch released in February. Affected are browsers before version 146.0.7680.75&#8230;. <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15958\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15958","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15958"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15958\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}