Google fixes two new Chrome zero-days exploited in attacks
Google fixes two new Chrome zero-days exploited in attacks
Information:
Google Chrome is a web browser developed by Google, built on the Chromium engine for speed, simplicity, and high security. It offers seamless integration with Google services and supports a vast library of extensions, making it the most popular browser worldwide.
Incident :
Google has released an emergency update to fix two high-severity Chrome vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that are actively exploited as zero-day attacks.
The first vulnerability, CVE-2026-3909, exists in Skia (a 2D graphics library) and is an out-of-bounds write issue, which could be exploited to crash the browser or execute arbitrary code on a user’s system.
The second vulnerability, CVE-2026-3910, affects the V8 Engine (JavaScript and WebAssembly) and stems from an improper implementation, which could be exploited through malicious websites.
Google discovered both vulnerabilities and was able to release patches within two days of reporting. Updated versions have been released for users on the Stable Desktop channel as follows:
- Windows: 146.0.7680.75
- macOS: 146.0.7680.76
- Linux: 146.0.7680.75
Google has limited disclosure of technical details to prevent further exploitation while users are still patching.This incident highlights that core components like rendering engines and JavaScript engines remain key targets for attackers.These are the second and third Chrome zero-days actively exploited in the wild so far in 2026.
Solution :
- update your web browser manually, you can also have it check for updates automatically and install them at the next launch.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)
References :
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2026-30903 |
11/03/2026 |
11/03/2026 |
Zoom Workplace for Windows before 6.6.0 |
Broken Access Control |
9.6 |
External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access. |
Update to version 6.6.0 or later. |
https://www.leakycreds.com/vulnerability/CVE-2026-30903
|
| 2 |
CVE-2026-3936 |
11/03/2026 |
12/03/2026 |
Google Chrome on Android prior to 146.0.7680.71 |
Use After Free |
8.8 |
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Update to version 146.0.7680.71 or later. |
https://www.leakycreds.com/vulnerability/CVE-2026-3936
|
| 3 |
CVE-2026-21000 |
16/03/2026 |
16/03/2026 |
Samsung Galaxy Store prior to version 4.6.03.8 |
Access Control |
7 |
Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege. |
Update to version 4.6.03.8 or . |
|
| 4 |
CVE-2026-32635 |
13/03/2026 |
13/03/2026 |
Angular |
Cross site scripting (XSS) |
8.1 |
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. |
This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. |
https://www.cvedetails.com/cve/CVE-2026-32635/
|
| 5 |
CVE-2026-3910 |
12/03/2026 |
13/03/2026 |
Google Chrome |
Execute code |
8.8 |
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
Update Google Chrome to version 146.0.7680.75 or higher immediately. |
https://www.cvedetails.com/cve/CVE-2026-3910/
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
AI-generated malware Slopoly used in Interlock ransomware attacks |
13/03/2026 |
Malware, Ransomware, AI/ML |
As reported by Bleeping Computer, a new malware strain named Slopoly, believed to be developed using generative AI tools, has been identified as a component in recent Interlock ransomware attacks. This backdoor allowed attackers to maintain access to compromised servers for over a week, facilitating significant data exfiltration. The attack chain begins with the social engineering tactic known as ClickFix. Once inside a system, threat actors deploy Slopoly as a PowerShell script, functioning as a client for a command-and-control (C2) framework. The malware collects system information, executes commands remotely, and establishes persistence through scheduled tasks. In observed attacks, Slopoly was deployed alongside other backdoors like NodeSnake and InterlockRAT, culminating in the Interlock ransomware payload. |
|
Ref:https://www.scworld.com/brief/ai-generated-malware-slopoly-used-in-interlock-ransomware-attacks
24 March 2026
Viewed 67 time
