Google Rushes Emergency Chrome Update to Patch Two Zero-Days Already Under Active Attack
Vulnerabilities in Skia graphics library and V8 JavaScript engine bring browser zero-day tally to three in 2026
The two zero-day vulnerabilities represent serious threats to Chrome users worldwide. The Skia graphics library handles rendering across Chrome, while V8 is the JavaScript engine that powers web applications. Both are deeply embedded in the browser stack, making exploitation potentially devastating.
Google has not disclosed detailed technical information about either vulnerability, a standard practice to give users time to update before attack methodologies become widely known. The company confirmed that exploits for both flaws exist in the wild.
This emergency patch brings Chrome's tally of actively exploited zero-day vulnerabilities to three so far in 2026, a pace that suggests browser security remains a high-priority battleground between attackers and defenders.
Analysis
Why This Matters
Chrome commands roughly two-thirds of the global browser market, making any actively exploited vulnerability a potential threat to billions of users. Zero-days in core rendering and JavaScript engines are particularly dangerous because they can be triggered simply by visiting a malicious website.
Background
Browser zero-days have become one of the most valuable commodities in the exploit market, with brokers paying millions for reliable Chrome chains. Google's Project Zero and Threat Analysis Group have been increasingly aggressive in detecting and patching these flaws.
What to Watch
Users should ensure Chrome auto-updates are enabled and restart their browser to apply the patch. Organizations running managed Chrome deployments should prioritize pushing this update immediately.