Key Takeaway
CVE-2026-3909 is an out-of-bounds write vulnerability in Google's Skia graphics engine that allows remote code execution via crafted HTML pages. The flaw affects Google Chrome, ChromeOS, Android, Flutter, and any third-party software using Skia. CISA has mandated federal agency patching by 2026-03-27, and organizations should apply available updates immediately and audit all Skia-dependent software.
CVE-2026-3909: Out-of-Bounds Write in Google Skia Enables Remote Code Execution Across Chrome, Android, and Flutter
CVE ID: CVE-2026-3909 Vendor: Google Affected Products: Google Chrome, ChromeOS, Android, Flutter, and any third-party software linking against the Skia graphics library CISA KEV Patch Deadline: 2026-03-27
Vulnerability Overview
CVE-2026-3909 is an out-of-bounds write vulnerability residing in Google's Skia open-source 2D graphics engine. Skia serves as the rendering backend for Google Chrome, ChromeOS, Android's graphics stack, and the Flutter application framework, making its attack surface exceptionally broad.
The flaw allows a remote, unauthenticated attacker to trigger out-of-bounds memory writes by delivering a crafted HTML page to a target. No user interaction beyond visiting or rendering the malicious content is required beyond standard browser operation. The vulnerability exists within Skia's processing logic for specific graphical operations embedded in HTML content, where insufficient boundary validation allows writes beyond the intended memory buffer.
Technical Details
Vulnerability Class: Out-of-Bounds Write (CWE-787) Attack Vector: Network (remote, via crafted HTML content) Authentication Required: None User Interaction: Required (victim must load malicious HTML)
Out-of-bounds write vulnerabilities at the graphics engine layer are particularly dangerous. Skia operates with elevated access to process memory as part of the rendering pipeline. A successful write beyond allocated buffer boundaries can corrupt adjacent memory regions, overwrite function pointers or control-flow data structures, and ultimately redirect execution to attacker-controlled code.
Because Skia is not sandboxed independently — it operates within the renderer process in Chrome and directly within application processes in Android and Flutter — exploitation can lead to arbitrary code execution within the context of the affected application or operating system process. In Chrome, this may require a separate sandbox escape for full system compromise, but on Android and within Flutter applications, the blast radius can be more direct depending on the app's permission scope.
Affected Products and Scope
The scope of CVE-2026-3909 extends well beyond the Chrome browser:
- Google Chrome (all platforms): The primary attack surface. Users browsing to attacker-controlled or compromised websites are at risk.
- ChromeOS: The operating system embeds Chrome as its core application environment, exposing the OS-level attack surface.
- Android: Android's graphics subsystem relies on Skia for 2D rendering. Any Android application that renders HTML or web content via WebView, or uses Skia directly for graphics processing, is potentially affected.
- Flutter: Google's cross-platform UI framework uses Skia as its rendering engine. Flutter-built applications across Android, iOS, desktop, and web targets may be affected depending on how Skia is integrated in each build target.
- Third-party products: Any vendor product that bundles or links against the Skia library should be audited. This includes Electron-based applications, embedded browsers, and custom Android system images.
Real-World Impact
A remote attacker who successfully exploits CVE-2026-3909 can achieve arbitrary code execution on the affected device or within the affected application process. On Android, this translates to code running under the permissions granted to the targeted application — which, for system applications or those with broad permissions, can mean access to contacts, location, storage, camera, and microphone.
For enterprise environments, the risk is compounded by the prevalence of Chrome as a primary productivity tool and Android as a dominant mobile platform. A single malicious advertisement, phishing link, or compromised website can serve as the delivery mechanism. The CISA addition to the Known Exploited Vulnerabilities (KEV) catalog with a federal agency patch deadline of 2026-03-27 indicates confirmed or high-confidence exploitation activity.
Flutter applications present an additional concern. Organizations that have deployed internal or customer-facing Flutter apps may be running vulnerable Skia builds without a direct patching mechanism — remediation requires the application developer to update their Flutter SDK and redeploy the application.
Patching and Mitigation Guidance
Immediate Actions:
-
Patch Chrome and ChromeOS immediately. Apply Google's Chrome stable channel update addressing CVE-2026-3909 as soon as it is available. Enable automatic updates where enterprise policy permits. Verify deployed versions via
chrome://settings/help. -
Apply Android security updates. Apply the Android Security Bulletin patch that addresses this CVE. For enterprise mobile fleets managed via MDM (e.g., Microsoft Intune, VMware Workspace ONE), push the update immediately and verify compliance status.
-
Audit Flutter application deployments. Identify all internal Flutter applications. Require development teams to rebuild against a patched Flutter SDK version and redeploy. Notify users of customer-facing Flutter apps to update through the relevant app store.
-
Review third-party software using Skia. Check vendor advisories for any software in your environment that bundles Skia. Electron-based applications are a notable category — track upstream patches from those vendors.
-
Sandbox and restrict untrusted HTML content. Until patches are fully deployed across your environment, restrict access to untrusted or unvetted web content. Where feasible, enforce browser isolation technologies (e.g., Remote Browser Isolation) for high-risk user populations such as finance and executive teams.
-
Monitor for exploitation indicators. Tune SIEM and EDR rules to detect anomalous process behavior originating from Chrome renderer processes, WebView components, or Flutter application processes. Watch for unexpected child process spawning, memory anomalies, or network callbacks from rendering processes.
-
Federal agencies must patch by 2026-03-27 per CISA's Binding Operational Directive 22-01. Non-federal organizations should treat this deadline as a best-practice benchmark given the confirmed exploitation risk.
Google's security advisories and the Android Security Bulletin are the authoritative sources for patched version numbers. Monitor both for release timing and apply updates without delay.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.