← back
CVE-2026-3909

CVE-2026-3909

CVSS 8.8 HIGHEPSS 1.6%● KEVCWE-787
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 1.6%KEV simPoC Nuclei Metasploit Patch
Lifecycle
12 Mar 2026Published on NVD
13 Mar 2026Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A bug in Chrome's graphics engine (Skia) allows attackers to write data outside intended memory boundaries through a specially crafted webpage, potentially crashing the browser or executing malicious code.

Technical detail

Out-of-bounds write vulnerability in Skia rendering engine exploitable via crafted HTML; remote attack vector requiring user to visit malicious page; impacts memory integrity and may enable code execution or denial of service.

Summary generated and translated by AI from the official description.
Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.htmlhttps://issues.chromium.org/issues/491421267https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909