Exposures › CVE-2026-3909
Google Skia contains an actively exploited out-of-bounds write vulnerability enabling remote memory access via crafted HTML.
This vulnerability allows remote attackers to perform out-of-bounds memory access through crafted HTML pages, affecting Google Chrome, ChromeOS, Android, and Flutter. DIB organizations must patch immediately as the CVE is actively exploited and linked to ransomware campaigns, creating significant exposure for any system running these products.
Shame score — While actively exploited, the vulnerability is a known CVE with no FCA settlement or vendor negligence, resulting in moderate embarrassment.
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
| Product | Provider | Status | Match |
|---|---|---|---|
| Google Services (Google Cloud Platform Products and underlying Infrastructure) | Authorized | vendor-exact · 0.90 | |
| Google Workspace | Authorized | vendor-exact · 0.90 |