Breaking Update: Here’s a clear explanation of the latest developments related to Breaking News:Google rushes Chrome update to fix zero-days under attack • The Register– What Just Happened and why it matters right now.
Google has pushed out an emergency Chrome update to fix two previously unknown vulnerabilities that attackers were already exploiting before the patches landed.
The bugs, tracked as CVE-2026-3909 and CVE-2026-3910, affect core components of the browser and have prompted the usual warning from Google that technical details will remain under wraps until most users have updated.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” the company said.
CVE-2026-3909 is an out-of-bounds write flaw in Skia, the graphics library Chrome uses to render web content and parts of its user interface. Memory corruption bugs like this can sometimes be abused by attackers to crash applications or run their own code if successfully exploited.
The second bug, CVE-2026-3910, is described as an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine, the part of Chrome responsible for executing scripts on webpages. V8 vulnerabilities are particularly valuable to attackers because they can potentially be triggered by getting a target to visit a malicious or compromised site.
Google says it is aware that exploits for both vulnerabilities are in the wild, though it hasn’t shared details on how the bugs are being used or who might be behind the attacks. That silence is fairly typical when zero-days are involved; vendors tend to hold back technical information to avoid handing exploit developers a blueprint before patches have spread widely.
The fixes are included in the latest Chrome Stable update for Windows, macOS, and Linux, which should roll out automatically over the coming days and weeks. Users can also trigger the update manually through Chrome’s settings menu and will need to restart the browser to complete installation.
Google says both bugs were discovered in-house, which isn’t always the case. The company also revealed this week that it paid $17 million to 747 security researchers through its Vulnerability Reward Program in 2025.
The fixes arrive roughly a month after Google patched another actively exploited Chrome zero-day, CVE-2026-2441, a high-severity use-after-free vulnerability in the browser’s CSS handling that could allow a malicious webpage to execute code inside the browser’s sandbox.
With two more zero-days now under attack, Chrome’s 2026 tally is already growing. If your browser is nagging you to restart for an update, this might be a good moment to listen. ®