Threat Intelligence / CVE / CVE-2026-3909
CVE-2026-3909
CISA KEVOut of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Threats tracking this CVE
- Chrome V8 and Skia Zero-Days Under Active Exploitation (CVE-2026-3910, CVE-2026-3909) — CRITICAL
- Google Chrome Double Zero-Day — Skia OOB Write & V8 Implementation Flaw (CVE-2026-3909, CVE-2026-3910) — CRITICAL
References
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
- https://issues.chromium.org/issues/491421267
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
Full detection coverage & IOCs for threats exploiting CVE-2026-3909 are available via the Threadlinqs MCP server (Purple tier). View plans →