Three Chrome Zero-Days Patched in March Alone — What's Driving the Surge

Google shipped emergency patches for three separate Chrome zero-days in March 2026, continuing a trend that’s been accelerating since late 2024.

The three vulnerabilities

All three were reported as actively exploited in the wild before patches were available. The details are thin — Google’s disclosure policy gives minimal technical detail until adoption reaches critical mass — but the affected components (V8, Blink, and the network stack) suggest three different attacker toolkits rather than a single campaign.

Why browsers keep breaking

The browser has become the operating system for most knowledge workers. Every new API surface — WebGPU, WebTransport, WebCodecs — is another attack surface. Chrome’s codebase is tens of millions of lines of C++ with a JavaScript engine that’s one of the most complex pieces of software ever written.

The economic incentive for browser zero-days has also never been higher. A full Chrome RCE chain sells for seven figures on the exploit market, and the potential targets include literally everyone with a web browser.

What this means practically

For most people, auto-update is your only realistic defense. But if you’re running infrastructure where browsers are part of the attack surface (admin panels, monitoring dashboards, CI/CD web UIs), consider whether those interfaces need to be accessible from the general internet at all.

The best Chrome zero-day mitigation is not needing Chrome to reach your critical systems.