CISA has added CVE‑2026‑3909 – the Google Skia Out‑of‑Bounds Write Vulnerability – to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Google’s Skia graphics library, which is embedded in Chrome, ChromeOS, Android, Flutter and other downstream products.
The vulnerability is an out‑of‑bounds write that can be triggered by a crafted HTML page. An attacker who convinces a victim to load the page can corrupt memory, potentially achieving code execution. The CVSS score is 8.8, classifying it as HIGH severity. Exploitation requires a remote, network‑based vector and does not need local privileges. Google has released a patch; the update is available through the normal Chrome stable‑channel release.
Because the entry appears in the KEV list, active exploitation has been confirmed in the wild. No ransomware campaigns have been linked to this CVE to date. CISA has set a remediation deadline of 27 March 2026 for affected federal civilian executive branch (FCEB) agencies.
CISA’s required action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Agencies should patch Chrome, ChromeOS, Android and any other software that bundles Skia before the deadline. Organisations that do not use the affected products should still verify that no internal applications rely on the library and consider temporary mitigations if a patch cannot be applied immediately.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-3909 and the CISA KEV catalogue.