What happened
CISA added two Google Chrome vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2026-3909 (Skia out-of-bounds write)
- CVE-2026-3910 (Chromium V8 vulnerability)
KEV inclusion means there is credible evidence of active exploitation and elevated operational risk.
Why KEV listing matters
For defenders, KEV is a practical “patch now” signal:
- exploitation is not theoretical,
- weaponization timelines are often short,
- browser bugs can become broad enterprise footholds.
Organizations that rely on Chrome in daily workflows should treat these updates as priority maintenance.
What teams should do now
- Verify Chrome auto-update is working across managed and unmanaged endpoints.
- Force-update lagging VDI and kiosk images.
- Review EDR detections for suspicious browser child-process behavior.
- Escalate high-risk users (admins, finance, executives) for immediate patch confirmation.
Home-user guidance
If you use Chrome personally, open Help → About Google Chrome and confirm you are on the latest build, then restart the browser.
Bottom line
Two Chrome flaws now in KEV is a clear reminder: browser patching is core security hygiene, not optional maintenance.