Google Patches Two Chrome Zero-Days; GTIG Warns of Intellexa Exploits

Google on Thursday pushed security updates for Chrome to fix two high-severity vulnerabilities that the company said are being exploited in the wild.

Google identified the two flaws as CVE-2026-3909, an out-of-bounds write in the Skia 2D graphics library, and CVE-2026-3910, an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Both carry a CVSS score of 8.8 and, according to Google, can be triggered by a crafted HTML page to enable memory corruption or sandbox escape.

“Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild,” the company said. Google reported both issues on March 10, 2026, and released updates for Chrome users. The company advised Windows and macOS users to move to versions 146.0.7680.75 or 146.0.7680.76, and Linux users to 146.0.7680.75. To update, Google said users can go to More > Help > About Google Chrome and select Relaunch.

Google also noted this is the third actively exploited Chrome zero-day it has patched since the start of the year, following fixes for a use-after-free bug in the browser CSS component tracked as CVE-2026-2441. “We recommend users keep Chrome and other software up to date,” Google said, and it advised users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi to apply vendor updates as they become available.

In related reporting, Google Threat Intelligence Group, known as GTIG, published an analysis highlighting continued exploitation of zero-day vulnerabilities by a commercial spyware group called Intellexa. GTIG said Intellexa remains prolific at acquiring or developing zero-days, particularly against mobile browsers, and that it accounted for roughly 15 unique zero-days out of about 70 tracked by Google since 2021.

GTIG described how Intellexa and its customers have used multi-stage exploit chains. Researchers at CitizenLab helped capture a full iOS exploit chain that GTIG said installed Intellexa’s Predator spyware. GTIG said the chain used a framework called JSKit, an RCE toolkit that has surfaced in multiple campaigns, and a later stage tracked as PREYHUNTER that provides helper and watcher modules for persistence and surveillance.

GTIG warned that Intellexa uses both one-time links sent via encrypted messengers and malicious advertisements to fingerprint targets and deliver exploits. The group said it worked with partners to identify companies Intellexa used to infiltrate ad platforms and that those accounts were shut down by the partners.

GTIG credited collaborative research from Recorded Future and Amnesty International and said Google has added identified domains to Safe Browsing and delivered government-backed attack warnings to known targeted accounts. “Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders,” GTIG wrote.

What you can do: GTIG and Google urged prompt patching of browsers and operating systems, cautious handling of unexpected links, and attention to vendor threat warnings. Organizations and individuals at risk should review warnings from GTIG and apply mitigations recommended by platform vendors.

For step-by-step advice tailored to individuals and small organizations, see our guide how to protect yourself from cyber attacks in 10 easy steps.

If you need an incident playbook, review this how to respond to a cybersecurity incident – a step-by-step guide.

Both Google and GTIG emphasized community and industry action. GTIG said it will continue to share indicators and findings to help defenders and that coordinated policy efforts are important to limit misuse of commercial spyware.

#Chrome #ZeroDay #Intellexa #Cybersecurity #Spyware