Google Fixes Two Chrome Zero-Days Exploited in the Wild

What Happened

Google has released an emergency security update for its Chrome browser to address two high-severity zero-day vulnerabilities that are being actively exploited in the wild. The update, version 131.0.6778.114 for Windows and macOS and 131.0.6778.114 for Linux, patches flaws within the browser’s Skia 2D graphics library and its V8 JavaScript engine. Google’s Threat Analysis Group (TAG) confirmed the active exploitation, a clear sign that threat actors have weaponized these flaws before a patch was publicly available. The company has restricted details about the attacks to prevent further exploitation while a majority of users update.

Why It Matters

The exploitation of these zero-days represents a significant and immediate threat to browser security. Chrome’s massive user base, exceeding 3 billion installations globally, makes it a prime target for attackers. Successful exploitation can allow adversaries to bypass security boundaries, execute arbitrary code, or potentially gain control of a user’s system simply by convincing them to visit a malicious website. For organizations, this underscores the critical importance of rapid patch deployment, as these vulnerabilities are already in attackers’ toolkits, increasing the risk of targeted attacks, data theft, and further network compromise.

Technical Details

The two vulnerabilities are tracked as CVE-2026-3909 and one other which, at the time of writing, has not been assigned a public CVE identifier. CVE-2026-3909 is a type confusion flaw in the V8 JavaScript engine. Type confusion vulnerabilities occur when code passes a variable of one type to a function expecting a different type, which can lead to memory corruption and allow an attacker to execute arbitrary code. The second flaw resides in the Skia graphics library, which handles rendering tasks. Exploiting these in tandem could allow an attacker to craft a malicious webpage that, when loaded, triggers the vulnerabilities to achieve code execution within the Chrome sandbox or potentially escape it.

Immediate Risk

The immediate risk is HIGH for unpatched systems. With confirmed in-the-wild exploitation, the window for attackers to target vulnerable Chrome instances is open. The attack vector is low-complexity, requiring only that a user visit a compromised or malicious website, making drive-by download attacks a likely scenario. All users and enterprises running Chrome versions prior to 131.0.6778.114 are at direct risk. The urgency to apply the update is critical, as exploit code for these flaws may proliferate rapidly now that the patch is public and reverse-engineering efforts begin.

Security Insight

This incident is a stark reminder that browser security is a frontline defense. Security teams must treat browser updates with the same urgency as operating system patches. Enable automatic updates for Chrome across all enterprise endpoints immediately. For high-value targets, consider temporarily restricting browser use to essential services until patches are verified as deployed. Furthermore, this highlights the value of exploit mitigation technologies like Control Flow Integrity (CFI) in V8, which can make exploiting type confusion bugs more difficult, and reinforces the need for robust sandboxing to contain potential breaches.