CVE-2026-3909
published 2026-03-13CVE-2026-3909: Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page…
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-27
Exploited in the wild
EPSS
1.63%
73.2th percentile
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 146.0.7680.80-1~deb12u1 | 146.0.7680.80-1~deb12u1 |
| chromium | chromium | >= 0 < 146.0.7680.80-1~deb13u1 | 146.0.7680.80-1~deb13u1 |
| chromium | chromium | >= 0 < 146.0.7680.80-1 | 146.0.7680.80-1 |
| debian | chromium | < chromium 146.0.7680.80-1~deb12u1 (bookworm) | chromium 146.0.7680.80-1~deb12u1 (bookworm) |
| chrome | < 146.0.7680.80 | 146.0.7680.80 | |
| chrome | >= 146.0.7680.75 < 146.0.7680.75 | 146.0.7680.75 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-3909 is an out-of-bounds write in the Skia 2D graphics library component of Chrome. Detection should focus on Chrome processes rendering crafted HTML pages that trigger anomalous memory access patterns in Skia. ↗
- →This vulnerability is confirmed actively exploited in the wild (CISA KEV listed, remediation due 2026-03-27). Prioritize detection of unpatched Chrome instances (below 146.0.7680.75) accessing untrusted HTML content. ↗
- →The vulnerability affects not only Google Chrome but also ChromeOS, Android, Flutter, and possibly other products using the Skia library. Broaden detection scope to all Skia-dependent products. ↗
- →Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) share the Skia component and may also be vulnerable. Monitor these browsers for versions below the patched Chromium build. ↗
- →Fixed versions for patch-level detection: Windows/macOS: 146.0.7680.177 or 146.0.7680.178; Linux: 146.0.7680.177. Flag any Chrome process reporting a lower version string. ↗
- →On Debian, the fixed package version is 146.0.7680.80-1~deb12u1 (bookworm) and 146.0.7680.80-1 (sid/forky/trixie). Use package version checks to identify unpatched Debian systems. ↗
- ·Google has not disclosed specific exploitation details or threat actor attribution for CVE-2026-3909. IOC enrichment from incident reports is not yet publicly available. ↗
- ·Debian 'bullseye' (11) remains unpatched as of the source publication date. Systems running Debian 11 with Chromium should be treated as persistently vulnerable until a fix is issued. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
vendor_paloalto·2026-04-08·CVSS 8.8
[HIGH] PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html CVE Summary CVE-2026-2648 Heap buffer overflow in PDFium CVE-2026-2649 Integer overflow in V8 CVE-2026-2650 Heap
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2026-3909
vendor_chrome·2026-03-16·CVSS 8.8
CVE-2026-3909 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2026-3909
Long Term Support Channel Update for ChromeOS
CVE-2026-3909: Out of bounds write in Skia. [ 491410818 ] High CVE-2026-3910: Inappropriate implementation in V8 If you have devices in the LTC channel, they will be updated to this version
Severity: high
CISA
Google Skia Out-of-Bounds Write Vulnerability
cisa·2026-03-13·CVSS 8.8
CVE-2026-3909 [HIGH] CWE-787 Google Skia Out-of-Bounds Write Vulnerability
Vulnerability: Google Skia Out-of-Bounds Write Vulnerability
Affected: Google Skia
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://chromereleases.googleblog.com/
Red Hat
chromium-browser: Out of bounds write in Skia
vendor_redhat·2026-03-12·CVSS 8.8
CVE-2026-3909 [HIGH] chromium-browser: Out of bounds write in Skia
chromium-browser: Out of bounds write in Skia
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
An out of bounds write flaw was found in the Skia component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=491421267
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Microsoft
Chromium: CVE-2026-3909 Out of bounds write in Skia
vendor_msrc·2026-03-10·CVSS 8.8
CVE-2026-3909 [HIGH] Chromium: CVE-2026-3909 Out of bounds write in Skia
Chromium: CVE-2026-3909 Out of bounds write in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2026-3909 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the wi
Debian
CVE-2026-3909: chromium - Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a re...
vendor_debian·2026·CVSS 8.8
CVE-2026-3909 [HIGH] CVE-2026-3909: chromium - Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a re...
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 146.0.7680.80-1~deb12u1)
bullseye: open
forky: resolved (fixed in 146.0.7680.80-1)
sid: resolved (fixed in 146.0.7680.80-1)
trixie: resolved (fixed in 146.0.7680.80-1~deb13u1)
OSV
CVE-2026-3909: Out of bounds write in Skia in Google Chrome prior to 146
osv·2026-03-13·CVSS 8.8
CVE-2026-3909 [HIGH] CVE-2026-3909: Out of bounds write in Skia in Google Chrome prior to 146
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
GHSA
GHSA-vmc5-xpp6-2j82: Out of bounds write in Skia in Google Chrome prior to 146
ghsa_unreviewed·2026-03-13
CVE-2026-3909 [HIGH] CWE-787 GHSA-vmc5-xpp6-2j82: Out of bounds write in Skia in Google Chrome prior to 146
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Skia Out-of-Bounds Write Vulnerability
vulncheck·2026·CVSS 8.8
CVE-2026-3909 [HIGH] CWE-787 Google Skia Out-of-Bounds Write Vulnerability
Google Skia Out-of-Bounds Write Vulnerability
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
Affected: Google Skia
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.jso
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Bleepingcomputer
Google patches new Chrome zero-day flaw exploited in the wild
blogs_bleepingcomputer·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google patches new Chrome zero-day flaw exploited in the wild
## Google patches new Chrome zero-day flaw exploited in the wild
## Sergiu Gatlan
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing s
Hackernews
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Datab
Bleepingcomputer
Google fixes fourth Chrome zero-day exploited in attacks in 2026
blogs_bleepingcomputer·2026-04-01·CVSS 8.8
[HIGH] Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Sergiu Gatlan
Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior.
While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company noted.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux
Hackernews
New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
blogs_hackernews·2026-04-01·CVSS 8.8
CVE-2026-5281 [HIGH] New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn , an open-source and cross-platform implementation of the WebGPU standard.
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a de
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Wiz
CVE-2026-3909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-3909 [HIGH] CVE-2026-3909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3909 :
vulnerability analysis and mitigation
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Source : NVD
## 8.8
Score
Published March 13, 2026
Severity HIGH
CNA Score 8.8
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 49.9
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
chromium-qt6-ui-debuginfo
cpe:2.3:a:google:chrome
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at: Mar 17, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 13, 2026
Debian 12, 13, 14 Severity HIGH Has Fix Added at: Mar 13, 202
2026-03-13
Published
2026-03-13
Added to CISA KEV
Exploited in the wild