Google released emergency security updates for two high-severity Chrome zero-days, CVE-2026-3910 and CVE-2026-3909, which are already being exploited in the wild.

CVE-2026-3910 is an inappropriate implementation flaw in the V8 JavaScript and WebAssembly engine that could allow arbitrary code execution from a crafted HTML page within the V8 sandbox.

If prompted to restart, users should allow the update to complete the installation and protections.

Google did not disclose attack details or threat actor identities, adhering to its security disclosure practices.

The report is a syndicated Malwarebytes Security Bloggers Network article summarizing Google’s patch and providing protective guidance.

Google limited public bug detail until most users are updated, and may restrict access to bug specifics if the issue affects third-party libraries.

As a standard zero-day precaution, detailed information is withheld to hinder exploitation while updates roll out widely.

There is urgent urgency for users to update promptly due to active exploitation and heightened risk.

Chrome’s update rollout is automatic but may take days to weeks to reach all users given the large installed base.

Microsoft Edge will receive the same fixes soon, as Microsoft is addressing these exploits in its own updates.

Federal agencies must address these vulnerabilities by late March, with private organizations urged to review KEV and patch accordingly.

Security best practices include enabling automatic updates, avoiding unsolicited links, restarting devices as needed, and using up-to-date real-time anti-malware with web protection.