Google Chrome security alert urges billions to update; what Chrome users should do

Google has issued an urgent warning to Chrome users, flagging a serious security vulnerability that is already being exploited in the wild. The flaw, tracked as CVE-2026-3909, affects Chrome’s underlying graphics engine and could allow attackers to crash the browser or run malicious code on a victim’s system.

With Chrome’s user base crossing three billion, even a single vulnerability of this scale has wide-reaching implications. Google has responded with a patch, but as always with browser updates, it may take time to reach every device. In the meantime, there are a few simple things Chrome users should do to stay protected.

What Google Chrome users should do right now

Start with the obvious but often ignored step. Update your browser. Head to Chrome’s settings, open the “About Chrome” section, and check if version 146.0.7680.75 (or newer) is available. If it is, install it and restart the browser. That restart is important, as the fix does not fully apply until Chrome relaunches.

If you do not see the update yet, do not assume you are safe. Google rolls out patches in phases, so it may take a few days to appear. In that case, keep checking manually and avoid using Chrome for sensitive tasks such as banking or logging into critical accounts until you are updated.

It is also worth enabling automatic updates if they are turned off, and keeping your operating system up to date, as some exploits rely on a chain of vulnerabilities rather than a single entry point.

A flaw hiding in plain sight

At the centre of the issue is Skia, the open-source graphics library that Chrome relies on to render web content. The bug is described as an out-of-bounds write error, which means the browser can be tricked into writing data where it should not. That opens the door to crashes at best and remote code execution at worst.

ALSO READ: Google Chrome is getting 3 new AI features for better browsing

What makes this particularly concerning is its zero-day status. These are vulnerabilities that attackers discover and exploit before developers can fully respond, leaving users exposed in the interim.

Google has confirmed that this flaw falls into that category, though it has stopped short of sharing technical specifics, likely to avoid giving bad actors a roadmap.

Google says it will release more details about the vulnerability once a majority of users are protected. Until then, the lack of transparency is deliberate. It buys time for patches to spread before the flaw becomes widely understood and easier to exploit.