CVE-2026-3909

HighCISA KEVActive Exploitation

Published: 13 March 2026

Published

13 March 2026

Modified

25 March 2026

KEV Added

13 March 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0045 64.0th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3909 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 36.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identifying, prioritizing, and remediating known flaws like the out-of-bounds write in Chrome's Skia library by applying patches such as version 146.0.7680.75.

SI-16 Memory Protection good match

prevent

Implements memory protection methods such as stack canaries, ASLR, and DEP that directly mitigate exploitation of out-of-bounds writes in Skia during HTML processing.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects systems running vulnerable Chrome versions affected by this Skia out-of-bounds write, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in Chrome's Skia library exploited via crafted HTML on malicious website enables drive-by compromise (T1189) and client-side exploitation for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-3909 is an out-of-bounds write vulnerability in the Skia graphics library used by Google Chrome versions prior to 146.0.7680.75. This flaw, classified under CWE-787, enables out-of-bounds memory access when processing a crafted HTML page. Chromium security teams rated it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation allows the attacker to achieve high-impact effects on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise within the browser's sandbox.

Google's Chrome Releases blog details a stable channel update to version 146.0.7680.75 that addresses this issue. The vulnerability is tracked in the Chromium issue tracker at issues.chromium.org/issues/491421267. Mitigation involves updating to the patched version, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it in its Known Exploited Vulnerabilities Catalog.

This CVE appears in CISA's Known Exploited Vulnerabilities Catalog, indicating real-world exploitation by threat actors.

Details

CWE(s): CWE-787
KEV Date Added: 13 March 2026

Affected Products

google

chrome

≤ 146.0.7680.80

CVEs Like This One

CVE-2026-5281Same product: Apple Macosboth on KEV

CVE-2026-2441Same product: Apple Macosboth on KEV

CVE-2025-9132Same product: Apple Macos

CVE-2025-13223Same product: Apple Macosboth on KEV

CVE-2025-10585Same product: Apple Macosboth on KEV

CVE-2026-4450Same product: Apple Macos

CVE-2025-13042Same product: Apple Macos

CVE-2026-3910Same product: Apple Macosboth on KEV

CVE-2026-7951Same product: Apple Macos

CVE-2025-8901Same product: Apple Macos

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/491421267
Permissions Required · chrome-cve-admin@google.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0