CVE-2026-3909

HighCISA KEVActive Exploitation

Published: 13 March 2026

Published

13 March 2026

Modified

25 March 2026

KEV Added

13 March 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.3th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identifying, prioritizing, and remediating known flaws like the out-of-bounds write in Chrome's Skia library by applying patches such as version 146.0.7680.75.

SI-16 Memory Protection good match

prevent

Implements memory protection methods such as stack canaries, ASLR, and DEP that directly mitigate exploitation of out-of-bounds writes in Skia during HTML processing.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects systems running vulnerable Chrome versions affected by this Skia out-of-bounds write, enabling targeted remediation.

Security SummaryAI

CVE-2026-3909 is an out-of-bounds write vulnerability in the Skia graphics library used by Google Chrome versions prior to 146.0.7680.75. This flaw, classified under CWE-787, enables out-of-bounds memory access when processing a crafted HTML page. Chromium security teams rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation allows the attacker to achieve high-impact effects on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise within the browser's sandbox.

Google's Chrome Releases blog details a stable channel update to version 146.0.7680.75 that addresses this issue. The vulnerability is tracked in the Chromium issue tracker at issues.chromium.org/issues/491421267. Mitigation involves updating to the patched version, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it in its Known Exploited Vulnerabilities Catalog.

This CVE appears in CISA's Known Exploited Vulnerabilities Catalog, indicating real-world exploitation by threat actors.

Details

CWE(s): CWE-787
KEV Date Added: 13 March 2026

Affected Products

google

chrome

≤ 146.0.7680.80

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in Chrome's Skia library exploited via crafted HTML on malicious website enables drive-by compromise (T1189) and client-side exploitation for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/491421267
Permissions Required · chrome-cve-admin@google.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0