CVE-2026-3909 - Vulnerability Details

Description

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Published: 2026-03-12

Score: 8.8 High

EPSS: < 1% Very Low

KEV: Yes

Impact:

Action:

Analysis

Impact

The CVE identifies an out-of-bounds write in the Skia graphics library used by Google Chrome. The vendor description states that a crafted HTML page can trigger out-of-bounds memory access, potentially corrupting memory. The direct impact described is memory corruption, and while arbitrary code execution is a logical consequence of such corruption, the official description does not explicitly confirm it. The weakness is identified as CWE-787.

Affected Systems

All Google Chrome installations with a version older than 146.0.7680.75 are affected. This includes Chrome running on Windows, macOS and Linux platforms as indicated by the CPE entries. The vendor list confirms Google:Chrome is the impacted product.

Risk and Exploitability

The CVSS score of 8.8 suggests high severity, and an EPSS score of 33% indicates a moderate likelihood of exploitation. The vulnerability is listed in the CISA KEV catalog, confirming that it has been actively exploited. Based on the description, the attack vector is remote via a malicious HTML page, and no local or privileged conditions are required. The potential for arbitrary code execution is inferred from the nature of the memory corruption, but this is not explicitly documented in the CVE.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`146.0.7680.75`	affected	< 146.0.7680.75

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[146.0.7680.75,146.0.7680.75)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 146.0.7680.75 or later, which resolves the Skia out-of-bounds write.
Verify the browser displays the updated version number after the update.
If an immediate update is not possible, restrict browsing to trusted sites or block untrusted HTML content until the patch is applied.
Where feasible, consider using enterprise policies to enforce the latest Chrome update or to disable potentially risky browser features.

Generated by OpenCVE AI on March 18, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6165-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since March 13, 2026.

The EPSS score is 0.00264.

Exploitation active

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
https://issues.chromium.org/issues/491421267
https://nvd.nist.gov/vuln/detail/CVE-2026-3909
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
https://www.cve.org/CVERecord?id=CVE-2026-3909

History

Tue, 24 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

Fri, 13 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3909
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-03-13T00:00:00+00:00', 'dueDate': '2026-03-27T00:00:00+00:00'}`

Fri, 13 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Out of bounds write in Skia
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3909 https://www.cve.org/CVERecord?id=CVE-2026-3909
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 12 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-787
References		https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/491421267

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-03-12T21:30:51.265Z

Updated: 2026-03-24T21:17:08.100Z

Reserved: 2026-03-11T00:54:06.406Z

Link: CVE-2026-3909

Vulnrichment

Updated: 2026-03-12T22:09:31.840Z

NVD

Status : Analyzed

Published: 2026-03-13T19:55:11.170

Modified: 2026-03-25T14:05:38.743

Link: CVE-2026-3909

Redhat

Severity : Important

Publid Date: 2026-03-12T00:00:00Z

Links: CVE-2026-3909 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-23T10:00:08Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation active

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object