Zero-Day Security Alert — March 17, 2026: Google Chrome V8 and Skia Actively Exploited

Daily Security Briefing

March 17, 2026

Both vulnerabilities below were originally published by NVD on March 13, 2026 and added to the CISA Known Exploited Vulnerabilities (KEV) catalog on March 16, 2026. This briefing is issued on March 17 to highlight the active exploitation risk for organizations that have not yet applied patches.

CVE-2026-3909 | CVSS 8.8 | HIGH Severity | Actively Exploited (CISA KEV)

Affected Product

Google Chrome (all versions prior to 146.0.7680.75) on Windows, macOS, and Linux

Description

An out-of-bounds write vulnerability exists in the Skia graphics library used by Google Chrome. A remote attacker can exploit this flaw to perform out-of-bounds memory access via a crafted HTML page, potentially leading to code execution or privilege escalation within the browser process.

Attack Vector

Network-based attack requiring no privileges. The victim must visit a malicious or attacker-controlled web page (user interaction required). No authentication is needed on the attacker's side.

Remediation

Update Google Chrome to version 146.0.7680.75 or later immediately. Chrome typically auto-updates, but administrators should verify deployment via fleet management tools. If patching is not immediately possible, restrict browser access or apply network-level controls until the update can be applied.

CISA Remediation Due Date: March 27, 2026

CVE-2026-3910 | CVSS 8.8 | HIGH Severity | Actively Exploited (CISA KEV)

Affected Product

Google Chrome V8 JavaScript engine (all versions prior to 146.0.7680.75) on Windows, macOS, and Linux

Description

An inappropriate implementation vulnerability in Chrome's V8 JavaScript engine allows a remote attacker to execute arbitrary code inside a browser sandbox via a crafted HTML page. This flaw, if chained with a sandbox escape exploit, could lead to full system compromise.

Attack Vector

Network-based attack requiring no privileges. Exploitation requires the victim to visit a maliciously crafted web page (user interaction required). No prior authentication or foothold is needed by the attacker.

Remediation

Update Google Chrome to version 146.0.7680.75 or later. Enterprise administrators should push the update via managed deployment tools such as Intune, SCCM, or Chrome Browser Cloud Management. Users on managed devices should confirm the update has been applied by navigating to chrome://settings/help.

CISA Remediation Due Date: March 27, 2026

This report is generated automatically from NVD and CISA KEV data.