CVE-2026-3909 Overview
CVE-2026-3909 is an out-of-bounds write vulnerability in the Skia graphics library used by Google Chrome. The flaw affects Chrome versions prior to 146.0.7680.75 across Windows, macOS, and Linux. A remote attacker can trigger out-of-bounds memory access by serving a crafted HTML page to a victim. Successful exploitation requires user interaction such as visiting an attacker-controlled page. CISA has added CVE-2026-3909 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The vulnerability is tracked as [CWE-787] Out-of-Bounds Write.
Critical Impact
Remote attackers can corrupt memory in the renderer process through a crafted web page, potentially leading to arbitrary code execution and sandbox-stage attacks against Chrome users.
Affected Products
- Google Chrome versions prior to 146.0.7680.75
- Chrome on Microsoft Windows
- Chrome on Apple macOS and Linux
Discovery Timeline
- 2026-03-13 - Google releases Chrome 146.0.7680.75 Stable Channel update addressing CVE-2026-3909
- 2026-03-13 - CVE-2026-3909 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-3909
Vulnerability Analysis
The vulnerability resides in Skia, the 2D graphics rendering engine that Chrome uses to draw HTML content, canvas elements, fonts, and images. An out-of-bounds write occurs when Skia processes a crafted HTML page that drives the renderer to write data past the bounds of an allocated buffer. Memory corruption inside the renderer process can be shaped into a controllable primitive by an attacker. Chromium classifies the underlying security severity as High, and the issue carries network attack reach with user interaction required.
CISA KEV listing indicates that threat actors have weaponized this Skia flaw against live Chrome users. Out-of-bounds writes in graphics pipelines historically chain with sandbox escapes to achieve full host compromise.
Root Cause
The root cause is improper bounds checking inside Skia rendering routines when handling attacker-influenced geometry, path, or buffer parameters from a web page. The Chromium issue tracker entry Chromium Issue #491421267 is restricted, consistent with active exploitation. Because Skia executes in the renderer process, untrusted web content can reach the vulnerable code paths directly.
Attack Vector
Exploitation is network-based and requires the victim to load attacker-controlled HTML. An adversary hosts a malicious page or injects malicious content into a compromised site, then lures the target to visit. When the page is rendered, Skia writes outside the intended buffer, corrupting adjacent memory. Attackers typically pair this primitive with a sandbox escape to gain code execution on the host.
No public proof-of-concept code is available. Technical specifics remain restricted in the Chromium issue tracker.
Detection Methods for CVE-2026-3909
Indicators of Compromise
- Chrome renderer process crashes with access violations or STATUS_HEAP_CORRUPTION referencing skia.dll or Skia symbols
- Unexpected child process spawns from chrome.exe following navigation to untrusted sites
- Outbound connections from Chrome renderer or helper processes to newly observed domains hosting heavy canvas, SVG, or font payloads
- Browser telemetry showing users running Chrome builds below 146.0.7680.75
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any host below 146.0.7680.75
- Monitor endpoint logs for Chrome crash signatures involving Skia modules and correlate with browsing history
- Hunt for post-exploitation patterns such as Chrome spawning cmd.exe, powershell.exe, or shell utilities
Monitoring Recommendations
- Forward Chrome crash and watchdog events to centralized logging and alert on Skia-related faults
- Track DNS and proxy logs for users visiting low-reputation domains immediately before browser crashes
- Enable browser management policies that report version compliance to the security team
How to Mitigate CVE-2026-3909
Immediate Actions Required
- Update Google Chrome to version 146.0.7680.75 or later on all Windows, macOS, and Linux endpoints
- Restart Chrome on managed devices to ensure the patched binary is loaded into memory
- Apply the same update to Chromium-based browsers downstream of the affected Chrome release
- Prioritize remediation in line with the CISA KEV catalog entry
Patch Information
Google released the fix in the Chrome Stable Channel update detailed in the Google Chrome Release Update. The patched build is 146.0.7680.75 for Windows, macOS, and Linux. Enterprises deploying Chrome through MSI, MDM, or package managers should push the updated installer and confirm version compliance.
Workarounds
- Enforce automatic Chrome updates through enterprise policy until all endpoints report the patched version
- Restrict browsing to allow-listed domains for high-risk users while patch deployment completes
- Block known malicious domains and newly registered domains at the proxy or DNS resolver
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version
# Windows PowerShell: query installed Chrome version
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion
# Enforce minimum version via Chrome Enterprise policy (JSON)
# Place under HKLM\Software\Policies\Google\Chrome on Windows
{
"TargetVersionPrefix": "146.0.7680.75",
"ComponentUpdatesEnabled": true
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
