DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3909: CVE-2026-3909: Remote Code Execution via Out-of-Bounds Write in Google Skia Graphics Engine

#security #cve #cybersecurity

CVE-2026-3909: Remote Code Execution via Out-of-Bounds Write in Google Skia Graphics Engine

Vulnerability ID: CVE-2026-3909
CVSS Score: 8.8
Published: 2026-03-12

A critical out-of-bounds (OOB) write vulnerability exists in the Google Skia 2D graphics engine, affecting Chrome, ChromeOS, Android, and Flutter. This flaw allows remote attackers to execute arbitrary code within the renderer process via crafted HTML content and is actively exploited in the wild.

TL;DR

CVE-2026-3909 is an actively exploited OOB write in Google Skia. It allows remote code execution when a victim visits a malicious page. Users must update Chrome to version 146.0.7680.75 immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-787
  • Attack Vector: Network
  • CVSS Score: 8.8 (High)
  • EPSS Percentile: 96.31%
  • Impact: Remote Code Execution
  • Exploit Status: Active / Weaponized
  • KEV Status: Listed

Affected Systems

  • Google Chrome (Windows, macOS, Linux)
  • Google ChromeOS
  • Android OS
  • Flutter Framework Applications
  • Google Chrome (Desktop): < 146.0.7680.75 (Fixed in: 146.0.7680.75)

Mitigation Strategies

  • Update Google Chrome to version 146.0.7680.75 immediately across all desktop environments.
  • Apply the March 2026 system security patches for Android and ChromeOS devices.
  • Update Flutter and standalone Skia dependencies in custom applications to incorporate the patched rendering logic.

Remediation Steps:

  1. Identify vulnerable Chrome installations using endpoint management and software inventory tools.
  2. Deploy Chrome version 146.0.7680.75 via MDM, Group Policy, or centralized patch management systems.
  3. Enforce mandatory browser restarts across the organization to ensure the patched binaries execute in memory.
  4. Audit custom compiled applications for vulnerable Skia library inclusions and initiate recompilation with patched versions.

References

Read the full report for CVE-2026-3909 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)