Update now! Chrome emergency update for emergency fix
After Google already released an emergency update for Chrome on Friday, the manufacturer followed up on Saturday night.
(Image: heise medien)
Google released another emergency update for the Chrome web browser on Saturday night. It fixes a security vulnerability that was already being exploited online and which the previous day's update apparently did not close, or did not close correctly.
Already on Friday this week, Google announced that the unscheduled update would patch two security vulnerabilities being exploited in the wild. Now, however, the developers have pushed another out-of-band update that corrects one of the supposedly already closed security vulnerabilities (again). This is the vulnerability in the Skia graphics library. By processing and rendering carefully crafted web pages, attackers can access memory areas outside the intended boundaries and thus incorrectly write memory contents (CVE-2026-3909, no CVSS score, risk according to Google "high"). This often allows malicious code to be injected and executed.
Google has since updated the original version announcement from Friday night. According to this, the previous version of the notice listed vulnerability CVE-2026-3909, but its correction will only be included in a future update, the developers now state there. They provide no further details on the reasons. There is also no further information on the ongoing attacks on the vulnerabilities.
Videos by heise
Install updated versions now
Chrome users should ensure they are using the current version of the web browser. Chrome 146.0.7680.119 for Android and 146.0.7680.80 for Linux, macOS, and Windows now also patch the second exploited security hole.
The version dialog finds the updates and immediately starts their installation. It opens after clicking the icon with the three stacked dots to the right of the address bar and the further click path "Help" - "About Google Chrome". On Linux, the distribution's software manager is usually responsible for this. Google's Play Store should also offer the update, but on many phone models, Chrome updates arrive with a significant delay; the update cannot be forced there either.
Since other web browsers based on Chromium code, such as Microsoft Edge, are very likely to have the vulnerability as well, users of these alternatives should also check if updates are available for them and apply them promptly.
(dmk)
