Google Rushes Emergency Chrome Patch for Actively Exploited V8 Vulnerability

Google has released an emergency security update for Chrome, patching a critical type confusion vulnerability in the V8 JavaScript engine that is being actively exploited in targeted attacks.

The vulnerability, tracked as CVE-2026-3078, allows remote attackers to execute arbitrary code on affected systems simply by luring victims to a malicious website. No user interaction beyond visiting the page is required.

"We are aware that an exploit for CVE-2026-3078 exists in the wild," Google stated in its security advisory. The company credited an anonymous security researcher working with Kaspersky for reporting the flaw.

According to Kaspersky's Global Research and Analysis Team (GReAT), the vulnerability is being exploited as part of a sophisticated attack chain targeting journalists and activists in Eastern Europe. The attack delivers a previously unknown spyware payload dubbed "SilentByte."

"The exploit is highly reliable and works across multiple operating systems," said Boris Larin, principal security researcher at Kaspersky. "The targeted nature of the attacks suggests a nation-state actor, though we cannot yet attribute it to a specific group."

Chrome users are urged to update immediately to version 125.0.6422.112 or later. Users can check their Chrome version by navigating to chrome://settings/help, which will also trigger an automatic update if available.

Other Chromium-based browsers, including Microsoft Edge, Brave, and Opera, are also affected and are expected to release patches shortly.