Google Chrome (Chromium), Out-of-bounds Write, CVE-2026-3909 (High)

Listen to this Post

CVE-2026-3909 is a high-severity vulnerability in Google Chrome’s Skia 2D graphics library, existing in versions prior to 146.0.7680.75 . Skia is an open-source library responsible for rendering text, geometries, and images in the browser. The flaw is an out-of-bounds write, which occurs when a program writes data beyond the allocated boundary of a buffer . A remote attacker could exploit this by crafting a malicious HTML page and luring a victim to visit it . This triggers the out-of-bounds write in Skia, potentially corrupting memory . This memory corruption can lead to a browser crash or, more critically, allow the attacker to execute arbitrary code on the victim’s machine . Google is aware that this vulnerability was exploited in the wild as a zero-day . The issue was internally discovered and reported by Google on March 10, 2026, with a fix released on March 12, 2026 . Due to the active exploitation, CISA added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on March 13, 2026 . Technical details have been withheld by Google to prevent further abuse while users update their browsers .

dailycve form:

Platform: Google Chrome
Version: < 146.0.7680.75
Vulnerability : Out-of-bounds write
Severity: High (CVSS 8.8)
date: March 12, 2026

Prediction: Patch already released.

What Undercode Say:

Analytics:

This vulnerability (CWE-787) allows memory corruption via a crafted HTML page, leading to potential code execution. Its CVSS 3.1 score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) . It is a zero-day exploit, meaning attacks were detected before a patch was available . Google discovered the flaw internally on March 10 and patched it in the stable channel on March 12 . This marks the third Chrome zero-day patched in 2026 . The U.S. CISA has mandated federal agencies to apply fixes by March 27, 2026 .

Exploit:

As this is an actively exploited zero-day, public exploit code is intentionally withheld by Google and security researchers to protect users. The attack vector is a “crafted HTML page” . The exploit likely involves manipulating specific rendering operations within the Skia library to write data outside its intended buffer. This corrupts adjacent memory, which can be leveraged to hijack the browser’s control flow and execute arbitrary shellcode.

Protection from this CVE:

  1. Immediate Update: Update Google Chrome to version 146.0.7680.75 (Linux) or 146.0.7680.75/76 (Windows/macOS) .
  2. Manual Check: Navigate to `chrome://settings/help` to force an update check and relaunch the browser .
  3. Browser Relaunch: Ensure the browser is fully restarted to apply the update.
  4. Update Chromium Browsers: Users of Microsoft Edge, Brave, Opera, and Vivaldi must apply patches from their respective vendors as they become available .

Impact:

Successful exploitation allows a remote attacker to perform out-of-bounds memory access . This can lead to data corruption, browser instability (crashes), and arbitrary code execution on the underlying host . Code execution could enable the attacker to install programs, view, change, or delete data, or create new accounts with user-level permissions.

Bash/Terminal Commands:

Check current Google Chrome version on Linux (if installed via package manager)
google-chrome --version
Example output: Google Chrome 146.0.7680.75
Update Google Chrome on Ubuntu/Debian (if installed from official repo)
sudo apt update
sudo apt --only-upgrade install google-chrome-stable
Update Google Chrome on Fedora/CentOS/RHEL
sudo yum update google-chrome-stable
General command to check version on any OS via browser (paste in address bar)
Place this line in browser: chrome://settings/help

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top