What is CVE-2026-3909?

A high-severity out-of-bounds write vulnerability in Google Chrome can allow remote attackers to access memory improperly. Organizations are advised to prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2026-3909?

CVE-2026-3909 has a severity rating of HIGH with a CVSS base score of 8.8.

Is CVE-2026-3909 in CISA KEV?

Yes. CVE-2026-3909 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2026-3909 | High Vulnerability in Google Chrome

CVE-2026-3909 is a high-severity vulnerability affecting Google Chrome, specifically an out-of-bounds write in the Skia graphics library. This vulnerability allows remote attackers to perform out-of-bounds memory access through a specially crafted HTML page. With a CVSS score of 8.8, the risk associated with this vulnerability is significant, necessitating immediate attention from organizations using the affected software.

The exploitation of this vulnerability can lead to severe consequences, including potential unauthorized access to sensitive information and disruption of service. Given that exploitation requires user interaction with a malicious HTML page, the risk is heightened for users who might inadvertently engage with such content.

Due to its critical nature and the potential for widespread impact, organizations should prioritize patching immediately. The vulnerability has been confirmed with exploitability in the wild, as documented in the KEV catalog.

The urgency for defenders cannot be overstated; timely remediation is essential to safeguard against possible exploitation.

Vulnerability Details

The official description states that the out-of-bounds write in Skia in Google Chrome prior to version 146.0.7680.75 allows remote attackers to perform out-of-bounds memory access via a crafted HTML page. The vulnerability is classified under CWE-787, indicating an out-of-bounds write issue.

With a CVSS score of 8.8, this vulnerability is rated as high severity, reflecting its potential for significant impact on confidentiality, integrity, and availability. Affected products include Google Chrome and related platforms.

The vulnerability was published on March 13, 2026, and it is vital for users to update to the latest version to mitigate risks.

Technical Analysis

The root cause of CVE-2026-3909 lies in improper handling of memory within the Skia library, leading to out-of-bounds writes. The attack vector is classified as network-based, requiring low attack complexity and no privileges needed for exploitation. User interaction is required, as victims must engage with a malicious HTML page designed to exploit the vulnerability.

The impact of this vulnerability is significant across confidentiality, integrity, and availability, as successful exploitation can compromise sensitive data and disrupt service functionality. Organizations must be aware of the potential for significant damage resulting from this vulnerability.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive information, data breaches, and service disruptions. Given the high severity and confirmed exploitation, organizations must treat this vulnerability with urgency. The blast radius is extensive, affecting users who interact with the vulnerable software component. Organizations should assess their exposure and implement remediation as soon as possible.

The exploitation status indicates confirmed exploitation in the wild, emphasizing the need for immediate action. Organizations should prioritize this vulnerability in their patch management processes.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

Google Chrome versions prior to 146.0.7680.75 are affected by this vulnerability. Organizations should upgrade to the latest version to mitigate risks.

Mitigation & Remediation

Organizations should apply the latest patches provided by Google to remediate this vulnerability. If patches are unavailable, consider implementing workarounds as per vendor instructions and follow applicable guidance for cloud services. For more detailed remediation strategies, organizations can refer to penetration testing services to identify potential weaknesses.

Detection Guidance

Monitor logs for indicators of exploitation attempts, such as unusual memory access patterns or unexpected application behavior. Look for network traffic that may indicate attempts to deliver crafted HTML content to users.

AppSecure Threat Intelligence Insight

CVE-2026-3909 highlights a growing trend of vulnerabilities in widely used components such as Skia. Security teams should be aware of the implications of using common libraries across multiple products, as this can significantly increase the risk landscape. Organizations should implement comprehensive security assessments and consider proactive measures such as vulnerability management programs to enhance their security posture. Additionally, organizations can benefit from conducting regular penetration testing to identify and remediate potential vulnerabilities before they can be exploited.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-3909: High Vulnerability in Google Chrome