Google Zero-Day Alert For 3.5 Billion Chrome Users—Attacks Underway - Forbes

InnovationCybersecurity Google Zero-Day Alert For 3.5 Billion Chrome Users—Attacks Underway ByDavey Winder, Senior Contributor. Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst. Follow Author Mar 15, 2026, 10:45am EDTMar 17, 2026, 11:05am EDT 1 --:-- / --:-- This voice experience is generated by AI. Learn more. This voice experience is generated by AI. Learn more. Google issues emergency Chrome security update. LightRocket via Getty Images Updated March 15: Following the confirmation of two Chrome browser zero-days already being exploited by attackers and resulting in an emergency security update rollout, the Cybersecurity and Infrastructure Security Agency has urged all organizations to update as soon as possible. The article also now includes details of the millions of dollars paid to security researchers by Google for vulnerability disclosures. While weekly security updates have been a thing since 2023, when Google drops a second Chrome browser security update just 48 hours after the first, you know something serious is happening. And it is: Google has confirmed no fewer than two zero-day vulnerabilities targeting Chrome users and admits that exploits are already out there. Google has stated that, starting with Chrome 153, stable release updates will move to a fortnightly schedule, halving the current timeline. I mention this as one dropped on March 10, including a whopping 29 vulnerability fixes. The previous security update was published on March 3. Now Google has confirmed an emergency security update addressing CVE-2026-3909 and CVE-2026-3910, both of which are of the zero-day variety. While Microsoft has a somewhat unique way of defining zero-days, using a vulnerability classification that only requires the vulnerability to be known prior to a patch being released, rather than actively exploited, regular readers will understand that the more widely accepted definition means that actual attacks are already happening before any update is issued and before the vendor is aware of the vulnerability itself. Here’s what we know, and what action 3.5 billion Google Chrome browser users need to take. Forbes875 Million Android Phones Put At Risk From 60 Second HackBy Davey Winder MORE FOR YOU Although full access to the technical details of these new zero-day vulnerabilities will, as Google said, “be kept restricted until a majority of users are updated with a fix,” here’s the information that’s publicly available. First, both vulnerabilities have a high severity Common Vulnerability Scoring System and affect core components of the Chrome browser’s underlying technology. Second, these zero-days were discovered in-house by Google, rather than by external security researchers, as is most often the case. This isn’t altogether surprising, considering that Google can lay claim to one of the best in-house security teams on the planet when it comes to vulnerability research. Project Zero, which was founded in 2014, doesn’t just focus on Google products but also on zero-day vulnerabilities in all major hardware and software systems. “We perform vulnerability research on popular software like mobile operating systems, web browsers, and open source libraries,” Project Zero confirmed, using the results “to patch serious security vulnerabilities, to improve our understanding of how exploit-based attacks work, and to drive long-term structural improvements to security.” CVE-2026-3909 is what is known as an out-of-bounds memory vulnerability, which is usually associated with the remote execution of code when exploited by attackers. In this case, the vulnerability sits with Chrome’s graphics library component, Skia, which is employed, in part at least, to render both the user interface and web content. An exploit could be triggered, as with the CVE-2026-3913 vulnerability I warned about on March 12, simply by the user visiting a malicious web page. CVE-2026-3910, meanwhile, is to be found in the equally critical Chrome component known as V8. This is the browser’s JavaScript engine, and as such, a perennial favorite for hackers to exploit when the opportunity arises. OpenCVE described this zero-day as being an inappropriate implementation vulnerability that could allow “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. “ ForbesSmall Business Has A Data Breach Problem—352 Million Records LeakedBy Davey Winder The U.S. Cybersecurity and Infrastructure Security Agency, which likes to call itself America’s cyber defense agency but is more formally referred to by the CISA acronym, has added both the CVE-2026-3909 and CVE-2026-3910 Google Chrome security vulnerabilities to the Known Exploited Vulnerabilities Catalog database. This is important for many reasons, not least that it adds a very official, very government-level and formal confirmation of the use of the vulnerabilities in attacks, but also because of what this means for certain federal agencies and the wider business enterprise ecosystem. Given the “evidence of active exploitation” that CISA referred to, and the fact that these type of vulnerabilities often represent “frequent attack vectors for malicious cyber actors,” the KEV addition statement warned that, as such, both CVEs “pose significant risks to the federal enterprise.” Indeed, BOD 22-01 states: “It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.” Which is why it has brought Binding Operational Directive 22-01 into play. This obligates federal civilian executive branch agencies to remediate both vulnerabilities within 21 days of the KEV catalog addition, “to protect FCEB networks against active threats.” While, as a business enterprise, or any organization for that matter, you might think this has nothing to do with you, you would be wrong. As CISA eloquently stated: “Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.” Seriously, ignore this advice at your peril. Obviously, your patch management program will depend upon threat exposure and risk, alongside operational requirements, but if America’s cyber defense agency is taking CVE-2026-3909 and CVE-2026-3910 this seriously, it’s a good idea to follow its lead. “Known exploited vulnerabilities should be the top priority for remediation. Based on a study of historical vulnerability data dating back to 2019, less than 4% of all known vulnerabilities have been used by attackers in the wild," CISA said. ForbesCritical Google Chrome Security Bug—Visiting Web Page Executes AttackBy Davey Winder Although the two latest zero-days were, it has been confirmed, discovered by Google itself, the Vulnerability Reward Program, which offers cash bounties to external security researchers to discover and disclose vulnerabilities, turned 15 last year. During that time, it awarded an incredible $81.6 million to researchers, and in 2025 alone, the total exceeded $17 million. The largest single bounty paid during 2025 was awarded to two researchers “able to find logic bugs in Chrome’s inter-process communication mechanisms with demonstrated exploitation,” wrote Google technical program manager Tony Mendez and Google technical writer Dirk Göhmann. In total, more than 100 security researchers were rewarded $3,716,750 for vulnerabilities that impacted Chrome. While not focusing on Chrome alone, thankfully, Google does have a dedicated Chrome VRP, and it added AI-related vulnerability disclosure awards last year. Of course, the Chrome VRP itself doesn’t restrict itself to AI. “Chrome’s Top 20 researchers worked across all facets of Chrome,” the report said, “from memory safety and fuzzing to user-interface issues including permission hijacking and displaying URLs correctly for two web pages at once using split-view.” The overall AI VRP has, the report stated, issued $350,000 in bounty payments since launch. If you ever think Chrome is inherently insecure because of the number of vulnerabilities uncovered, I would humbly suggest you are wrong. In fact, I’d say the exact opposite: thanks to the dedication of security researchers within and outside of Google itself, who uncover vulnerabilities mostly before they can be exploited, Chrome is a much safer browser than those without such a VRP. “Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services,” the report concluded, and that’s only possible with the security research community. ForbesMeta Updates Facebook And WhatsApp Security Following AttacksBy Davey Winder You might be thinking the simple answer is nothing. That’s because Google has already started the process of deploying the security update to all users. However, things are not quite that straightforward. For a start, Google has also said this security update will roll out “over the coming days/weeks.” And to finish, you will need to ensure your browser is relaunched for the update to be activated once it has reached you. Google Chrome security updater. Davey Winder I’ve said it before and will no doubt say it again: zero-days should never be underestimated. The recommended course of action, therefore, is to use the browser’s three-dot menu to locate the Help | About Google Chrome option, which checks for any updates (in this case, 146.0.7680.75/76 for Windows/Mac and 146.0.7680.75 for Linux) and initiates the download and installation if the latest security fixes are not found. Editorial StandardsReprints & Permissions Find Davey Winder on LinkedIn and X. Visit Davey's website. Browse additional work. Follow Author LOADING VIDEO PLAYER... FORBES’ FEATURED Video