🟒 CVE-2026-3909

CVE-2026-3909 is an out-of-bounds write vulnerability in Google Chrome's Skia component that requires user interaction (visiting a crafted HTML page). While actively exploited and severe for end-users, it does not affect internet-facing server applications and requires social engineering or phishing for exploitation.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1189 β€” Drive-by Compromise
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2026-03-12

Added to CISA KEV: 2026-03-13 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-03-13)

Regarding CVE-2026-3909, here's what is known about its exploitation:

  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2026-3909 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog. CISA maintains this catalog as an authoritative source of vulnerabilities that have been exploited in the wild, and organizations are advised to use it as an input for their vulnerability management processes [2].
  • Evidence of Active Exploitation: There is evidence of active exploitation of CVE-2026-3909 in the wild. Google has released security updates to address this vulnerability, and the company is aware of attacks exploiting it [3].
  • Internet-Facing Applications or Services: The vulnerability affects Google Chrome [3], specifically an "Out of bounds write in Skia" [1]. While Chrome is a widely used application, the direct impact on internet-facing *services* would depend on how Chrome is used to access them. The vulnerability allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page [1].
  • Attack Vectors and Exploitation Methods: The attack vector is identified as Network, with Low Attack Complexity and No Privileges Required. The vulnerability can be exploited by a remote attacker through a crafted HTML page [1].
  • Targeted Attacks: While the vulnerability is being actively exploited, the provided information does not specify whether it has been used in targeted attacks.
  • Technical Details about Internet Exploitability: The vulnerability is an out-of-bounds write in Skia within Google Chrome, affecting versions prior to 146.0.7680.75 [1]. This type of vulnerability can lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service condition. The exploitability via a crafted HTML page suggests that a user visiting a malicious website or opening a malicious HTML document in Chrome could be affected.

Sources

  1. CVE-2026-3909 - Vulnerability Details - OpenCVE

    Attack Vector Network. Attack Complexity Low. Privileges Required None. Scope Unchanged."lessThan": "146.0.7680.75", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html"}, {"url": "https://issues.chromium.org/is…

  2. Known Exploited Vulnerabilities Catalog

    CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their ...

  3. Google fixed two new actively exploited flaws in the Chrome browser

    Google addressed two high-severity vulnerabilities in the Chrome browser that have been exploited in attacks in the wild. Google has released security updates to address two high-severity vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, in the Chrome browser. The company is aware of atta…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed