COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-3909

CVE-2026-3909

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-03-13
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-3909
⌖ exploited in the wild shame 45/100 exploited-in-wildransomwareunpatched

Google Skia contains an actively exploited out-of-bounds write vulnerability enabling remote memory access via crafted HTML.

This vulnerability allows remote attackers to perform out-of-bounds memory access through crafted HTML pages, affecting Google Chrome, ChromeOS, Android, and Flutter. DIB organizations must patch immediately as the CVE is actively exploited and linked to ransomware campaigns, creating significant exposure for any system running these products.

Shame score — While actively exploited, the vulnerability is a known CVE with no FCA settlement or vendor negligence, resulting in moderate embarrassment.

Players implicated

Google · vendorSkia · product

Description

Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

Affected FedRAMP products 2 in the catalog

ProductProviderStatusMatch
Google Services (Google Cloud Platform Products and underlying Infrastructure) Google Authorized vendor-exact · 0.90
Google Workspace Google Authorized vendor-exact · 0.90