CVE-2026-3909

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 with a remediation deadline of March 27, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library used by Google Chrome and numerous other products. A remote attacker can exploit this flaw by luring a victim to a crafted HTML page, triggering out-of-bounds memory access in the Skia rendering engine. Successful exploitation can lead to arbitrary code execution in the context of the browser process.

Skia is a widely shared open-source component used across Google Chrome, ChromeOS, Android, Flutter, Mozilla Firefox, and many other applications. CISA's KEV listing explicitly notes: "This vulnerability affects a common open-source component, third-party library, or a protocol used by different products." The blast radius extends well beyond Chrome alone.

Vulnerability Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Skia is an open-source 2D graphics library that serves as the primary rendering engine for Google Chrome, ChromeOS, Android, and Flutter. It handles operations such as rasterization, text rendering, path geometry, image decoding, and GPU-accelerated drawing.

The out-of-bounds write occurs when Skia processes specially crafted graphical content embedded in an HTML page. An attacker can craft a malicious web page that, when visited by a victim, triggers the OOB write during rendering. This can corrupt adjacent memory, potentially allowing the attacker to:

Execute arbitrary code in the context of the Chrome renderer process
Escape the renderer sandbox when combined with additional exploits
Achieve full system compromise in chained exploitation scenarios
Steal sensitive data from the victim's browsing session

The attack requires only that the victim navigate to a malicious page — no additional user interaction is needed beyond clicking a link. This makes it ideal for phishing campaigns, watering hole attacks, and malvertising.

Skia: Shared Open-Source Component

CISA's KEV entry includes an important note: this vulnerability affects a common open-source component used by different products. Skia is embedded in far more than just Google Chrome:

Products Using Skia

Google Chrome ChromeOS Android Flutter Mozilla Firefox (partial) Electron Apps LibreOffice Mono / .NET (SkiaSharp) Jetpack Compose

Broader Impact: Organizations should check with individual vendors for patching status. Any application that bundles Skia may be independently vulnerable, even if Chrome itself has been updated. Electron-based applications (VS Code, Slack, Discord, Teams, etc.) may require separate updates.

Affected Products & Versions

Google Chrome

Platform	Vulnerable Versions	Fixed Version
Windows	All versions before 146.0.7680.80	146.0.7680.80
macOS	All versions before 146.0.7680.80	146.0.7680.80
Linux	All versions before 146.0.7680.75	146.0.7680.75

Other Affected Products

Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi, etc.) are also affected and require their own updates. Additionally, any software embedding Skia directly should be evaluated for this vulnerability. Check with specific vendors for patch availability.

Impact

Impact Area	Detail
Confidentiality	High — Attacker can read arbitrary memory in the renderer process
Integrity	High — Out-of-bounds write enables arbitrary code execution
Availability	High — Can crash the browser or renderer process
Attack Vector	Network — victim must visit a crafted web page
Privileges Required	None — any remote attacker can host a malicious page
User Interaction	Required — victim must navigate to the attacker's page

Remediation

Immediate Actions

Update Google Chrome to version 146.0.7680.80 or later (Windows/Mac) or 146.0.7680.75 or later (Linux)
Update Chromium-based browsers — Microsoft Edge, Brave, Opera, Vivaldi, and others will release corresponding patches
Update Electron-based applications — check for updates to apps built on Electron/Chromium
Verify auto-update — navigate to chrome://settings/help to confirm Chrome is on the latest version
Audit Skia usage — if your organization develops software using Skia or SkiaSharp, update the Skia dependency

Mitigations (if patching is delayed)

Enable Chrome's Site Isolation (enabled by default) to limit the impact of renderer exploits
Use browser security policies to restrict navigation to untrusted sites
Deploy web filtering to block known malicious domains
Consider disabling JavaScript on untrusted sites via browser extensions

Property	Value
CVE ID	CVE-2026-3909
Vendor / Product	Google — Skia
NVD Published	2026-03-13
NVD Last Modified	2026-03-25
CVSS 3.1 Score	8.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-787
CISA KEV Added	2026-03-13
CISA KEV Deadline	2026-03-27
Known Ransomware Use	No

Date	Event
2026-03-12	CVE-2026-3909 published on NVD
2026-03-13	Chrome stable channel update 146.0.7680.75 released with fix
2026-03-13	Added to CISA Known Exploited Vulnerabilities catalog — confirms active exploitation
2026-03-25	NVD last modified — NIST CVSS scoring finalized at 8.8 HIGH
2026-03-27	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2026-3909	Vulnerability Database
CISA KEV Catalog Entry	US Government
Chrome Releases Blog — Stable Channel Update (March 13, 2026)	Vendor Advisory
Chromium Bug Tracker — Issue 491421267 (restricted)	Vendor Advisory