March 2026 Zero-Day Harvest: Chrome, Android, and SQL Server Under Fire

Three Exploited Zero-Days Plus Two Public Disclosures, One Month

March 2026 was not a quiet month for vulnerability management teams. Across Google Chrome, Android, and Microsoft SQL Server, three actively exploited zero-days and two publicly disclosed vulnerabilities required emergency patching cycles, with CISA adding multiple entries to the Known Exploited Vulnerabilities (KEV) catalog.

Each vulnerability targets a different layer of the enterprise stack — browser, mobile device, database — meaning no single patch cycle covers all exposure. Organizations running Chrome on desktops, Android devices in the field, and SQL Server backends needed to coordinate three distinct remediation workflows in a single month.

Here is what was exploited, how, and what defenders need to do.

Chrome: Two Zero-Days in V8 and Skia

Google released an emergency Chrome update on March 13, 2026, patching two vulnerabilities confirmed as exploited in the wild. Both received a Qualys Vulnerability Score (QVS) of 95 out of 100.

CVE-2026-3910 — V8 JavaScript Engine

Type: Inappropriate implementation in V8 Impact: Arbitrary code execution within the browser sandbox Attack vector: Crafted HTML page

CVE-2026-3910 targets Chrome’s V8 JavaScript and WebAssembly engine — the component responsible for executing all JavaScript on every web page. A specifically crafted HTML page can trigger the vulnerability, allowing a remote attacker to execute arbitrary code inside the browser sandbox.

V8 vulnerabilities are prized by exploit developers because JavaScript execution is universal across all browsing activity. The attacker needs only to convince the target to visit a malicious page or inject the payload into a compromised legitimate site.

Google explicitly confirmed that “exploits for CVE-2026-3910 exist in the wild” but withheld details about the exploitation campaigns and the threat actors behind them — standard practice to prevent additional weaponization.

CVE-2026-3909 — Skia 2D Graphics Library

Type: Out-of-bounds write in Skia Impact: Memory corruption, potential remote code execution Attack vector: Crafted HTML page

The Skia 2D graphics library handles all rendering in Chrome — text, images, SVG, canvas elements. CVE-2026-3909 is an out-of-bounds write vulnerability that allows a remote attacker to write data past the intended memory boundary via a crafted HTML page.

Out-of-bounds writes in graphics libraries are particularly dangerous because rendering is constant and automatic. Unlike JavaScript exploits that require specific code execution, Skia vulnerabilities can be triggered simply by rendering a malicious image or graphic element embedded in any web page.

Patches and Deadlines

Google initially released version 146.0.7680.75/76 on March 12, followed by 146.0.7680.80 on March 14 which included the complete fix for both CVEs. CISA added both CVEs to the Known Exploited Vulnerabilities catalog on March 13, 2026, setting a March 27, 2026 remediation deadline for Federal Civilian Executive Branch (FCEB) agencies.

Enterprise Chrome deployments should verify all managed browsers are running version 146.0.7680.80 or later. Organizations using Chromium-based browsers (Edge, Brave, Opera) should verify their downstream patches, as both V8 and Skia are shared components.

Android: Qualcomm Graphics Zero-Day Under Targeted Exploitation

CVE-2026-21385 — Qualcomm Graphics Subcomponent

Type: Integer overflow/wraparound in Qualcomm GPU driver Impact: Memory corruption, local privilege escalation Attack vector: Malicious app or local code delivering crafted data to graphics driver Scale: 230+ Qualcomm chipsets affected

Google’s March 2026 Android Security Bulletin patched 129 vulnerabilities across two security patch levels (2026-03-01 and 2026-03-05). Among them, CVE-2026-21385 stands out as the only vulnerability confirmed under active exploitation.

The flaw resides in an open-source Qualcomm graphics/display component used by over 230 different chipset models. Qualcomm described it as an integer overflow or wraparound that can be exploited by a local attacker to trigger memory corruption in a controlled way.

The “local” attack vector means the attacker needs code running on the device — typically through a malicious app installed from a third-party source, or as part of a multi-stage exploit chain where a browser or messaging vulnerability delivers the initial payload, and CVE-2026-21385 provides the privilege escalation needed to escape the app sandbox.

Google’s security bulletin notes “limited, targeted exploitation,” which typically indicates a small number of high-value targets — journalists, dissidents, government officials — rather than mass consumer attacks. This pattern is consistent with commercial spyware vendors who specialize in Android exploit chains for targeted surveillance.

Timeline

• December 18, 2025 — Google’s Android Security team alerts Qualcomm.
• February 2, 2026 — Qualcomm notifies OEM customers.
• March 3, 2026 — CISA adds CVE-2026-21385 to the KEV catalog, setting a March 24, 2026 remediation deadline.
• March 5, 2026 — Patches available in the 2026-03-05 Android security patch level.

Remediation Challenges

Android’s fragmented update ecosystem means patch availability does not equal patch deployment. Google Pixel devices received the March update promptly. Samsung, OnePlus, and other major OEMs typically follow within two to four weeks. Budget devices and older models from smaller manufacturers may never receive the patch.

Organizations with BYOD policies should verify that enrolled devices are running at least the 2026-03-05 security patch level. Devices that cannot be updated should be restricted from accessing sensitive corporate resources.

SQL Server: Privilege Escalation Goes Public

CVE-2026-21262 — SQL Server Elevation of Privilege

Type: Improper access control Impact: Full database instance compromise from low-privilege authenticated access CVSS: 8.8 (High) Exploitation status: Publicly disclosed, not confirmed as actively exploited at release

Microsoft’s March 2026 Patch Tuesday addressed 79 to 84 vulnerabilities (counts vary by methodology), including two publicly disclosed zero-days. CVE-2026-21262 is the more consequential of the pair.

The vulnerability allows an authenticated, low-privileged SQL Server user to escalate their privileges over the network to the highest built-in role — sysadmin — on the database instance. Successful exploitation grants the attacker the ability to read, modify, or delete any data in user and system databases; create new logins; alter existing permissions; and deploy malicious objects such as triggers or stored procedures to maintain persistence.

The attack requires network-level connectivity to an affected SQL Server instance and a valid SQL login with limited privileges. It cannot be exploited anonymously. However, the combination of public disclosure and an 8.8 CVSS score makes this an attractive target for post-compromise lateral movement in environments where SQL Server credentials are already available through prior access.

Affected Versions and Patches

Microsoft released security updates across the full SQL Server support matrix:

Updates are available for both Windows and Linux deployments. Organizations running SQL Server in production should prioritize this patch — the public disclosure increases the likelihood of weaponization even without confirmed in-the-wild exploitation at release.

The Broader March 2026 Patch Landscape

Beyond the headline zero-days, the March Patch Tuesday cycle included 46 privilege escalation vulnerabilities, 18 remote code execution flaws, 10 information disclosure issues, four spoofing bugs, four denial-of-service vulnerabilities, and two security feature bypass flaws.

Six vulnerabilities across the full March cycle were flagged as “more likely to be exploited,” meaning defenders should treat them with urgency even in the absence of confirmed exploitation.

Patching Priorities for Security Teams

March 2026’s zero-day harvest demands a layered response:

1. Chrome: Verify automatic updates NOW. Confirm that all managed browsers are running version 146.0.7680.80 or later. Do not wait for the next scheduled patch cycle.

1. Android: Enforce minimum patch levels. Set 2026-03-05 as the minimum acceptable Android security patch level for devices accessing corporate resources. Quarantine non-compliant devices.

1. SQL Server: Patch and audit. Apply the relevant KB update, then audit SQL Server logins for unnecessary low-privilege accounts that could serve as escalation entry points.

1. Monitor CISA KEV additions. All three platforms had entries added to the KEV catalog in March. Organizations subject to BOD 22-01 have mandatory remediation deadlines.

1. Review exploit chain exposure. CVE-2026-21385 is most dangerous as part of a chain. If your organization uses Android devices AND has browser-based attack surface, the combination creates compound risk that neither patch alone eliminates.

Frequently Asked Questions

Sources & Further Reading

• Google Fixes Two Chrome Zero-Days Exploited in the Wild — The Hacker News
• CVE-2026-3910: Chrome V8 Zero-Day Used for In-the-Wild Attacks — SOC Prime
• Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited — The Hacker News
• High-Severity Qualcomm Bug Hits Android Devices in Targeted Attacks — Malwarebytes
• CVE-2026-21262: SQL Server Zero-Day Fixed in March Patch Tuesday — SOC Prime
• Microsoft March 2026 Patch Tuesday Fixes 2 Zero-Days, 79 Flaws — Bleeping Computer
• Microsoft Patches 84 Flaws Including Two Public Zero-Days — The Hacker News