theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-3909

CISA KEV

Published March 13, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-3909: Google Skia Out-of-Bounds Write **What it is:** Google Skia's graphics rendering engine contains an out-of-bounds write flaw that allows remote code execution when processing malicious HTML pages. **Impact:** Attackers can exploit this via crafted web content to achieve arbitrary code execution on affected systems, including Chrome, ChromeOS, Android, and Flutter applications. This gives them full control over the compromised device or process. **Actions:** - Patch Chrome, ChromeOS, and Android immediately when Google releases updates. - Review security advisories from Google for affected Flutter versions and third-party products using Skia. - Block or sandbox untrusted HTML content until patches deploy. - Monitor for exploitation attempts targeting these vectors in your environment.

Official Description+

Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

Affected Products

VendorProduct
GoogleSkia

Patch Status

Patch by 2026-03-27

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-3909.

Related Coverage

Vvulnerability

CVE-2026-3909: Out-of-Bounds Write in Google Skia Enables Remote Code Execution Across Chrome, Android, and Flutter

CVE-2026-3909 is an out-of-bounds write vulnerability in Google's Skia graphics engine that allows remote code execution via crafted HTML pages. The flaw affects Google Chrome, ChromeOS, Android, Flutter, and any third-party software using Skia. CISA has mandated federal agency patching by 2026-03-27, and organizations should apply available updates immediately and audit all Skia-dependent software.

CISA KEV·21d ago·3 min read