cbcvebase.
CVE-2026-3909
published 2026-03-13

CVE-2026-3909: Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page…

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-27
Exploited in the wild
EPSS
1.63%
73.2th percentile
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 146.0.7680.80-1~deb12u1146.0.7680.80-1~deb12u1
chromiumchromium>= 0 < 146.0.7680.80-1~deb13u1146.0.7680.80-1~deb13u1
chromiumchromium>= 0 < 146.0.7680.80-1146.0.7680.80-1
debianchromium< chromium 146.0.7680.80-1~deb12u1 (bookworm)chromium 146.0.7680.80-1~deb12u1 (bookworm)
googlechrome< 146.0.7680.80146.0.7680.80
googlechrome>= 146.0.7680.75 < 146.0.7680.75146.0.7680.75
googlechrome_chrome
msrcmicrosoft_edge
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome < 146.0.7680.75
  • CVE-2026-3909 is an out-of-bounds write in the Skia 2D graphics library component of Chrome. Detection should focus on Chrome processes rendering crafted HTML pages that trigger anomalous memory access patterns in Skia.
  • This vulnerability is confirmed actively exploited in the wild (CISA KEV listed, remediation due 2026-03-27). Prioritize detection of unpatched Chrome instances (below 146.0.7680.75) accessing untrusted HTML content.
  • The vulnerability affects not only Google Chrome but also ChromeOS, Android, Flutter, and possibly other products using the Skia library. Broaden detection scope to all Skia-dependent products.
  • Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) share the Skia component and may also be vulnerable. Monitor these browsers for versions below the patched Chromium build.
  • Fixed versions for patch-level detection: Windows/macOS: 146.0.7680.177 or 146.0.7680.178; Linux: 146.0.7680.177. Flag any Chrome process reporting a lower version string.
  • On Debian, the fixed package version is 146.0.7680.80-1~deb12u1 (bookworm) and 146.0.7680.80-1 (sid/forky/trixie). Use package version checks to identify unpatched Debian systems.
  • ·Google has not disclosed specific exploitation details or threat actor attribution for CVE-2026-3909. IOC enrichment from incident reports is not yet publicly available.
  • ·Debian 'bullseye' (11) remains unpatched as of the source publication date. Systems running Debian 11 with Chromium should be treated as persistently vulnerable until a fix is issued.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.