CVE-2026-3909 — Google Skia: Google Skia Out-of-Bounds Write Vulnerability

March 13, 2026 14:00 /HIGH

CISA KEV vulnerabilitycvecisa-kevactively-exploited

CVE-2026-3909 — Google Skia: Google Skia Out-of-Bounds Write Vulnerability

Image via

CVE-2026-3909 — Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

What This Means For You

CISA has confirmed active exploitation — immediate patching required.
Added to CISA KEV catalog — federal agencies must remediate by 2026-03-27.

Indicators of Compromise

ID	Type	Indicator
CVE-2026-3909	Buffer Overflow	Google Skia, out-of-bounds write vulnerability, remote attacker, crafted HTML page, affects Google Chrome, ChromeOS, Android, Flutter
CVE-2026-3909	Memory Corruption	Google Skia, out-of-bounds memory access, crafted HTML page
CVE-2026-3909	Misconfiguration	Google Skia, Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable

🔎

Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic — straight from this vulnerability. Use /detect in the Intel Bot.

Open Intel Bot →

Source & Attribution

Source Platform	CISA
Channel	CISA KEV
Published	March 13, 2026 at 14:00 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

What This Means For You

Indicators of Compromise

Related coverage

CVE-2026-20240 — Denial of Service

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged