CISA KEV: CVE-2026-3909 - Google Skia Out-of-Bounds Write Vulnerability
Summary
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products. This vulnerability is actively exploited in the wild.
Threat Analysis
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-3909 to its Known Exploited Vulnerabilities catalog, confirming active exploitation. Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products. Affected vendor: Google. Product: Skia. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.. Due date: 2026-03-27. Organizations should prioritize patching this vulnerability immediately to prevent potential compromise.