CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with two newly confirmed zero-days affecting Google Chrome — CVE-2026-3909 and CVE-2026-3910. Both vulnerabilities are confirmed exploited in the wild, and Google has acknowledged active exploitation without disclosing attribution or attack details at this stage.
CVE-2026-3909 — Out-of-Bounds Write in Skia
This vulnerability resides in Skia, the open-source 2D graphics library embedded in Chrome and a wide array of other software including Android applications and Flutter-based apps. An out-of-bounds write flaw allows a remote attacker to perform out-of-bounds memory access via a specially crafted HTML page — no privileges or user interaction required beyond visiting a malicious page.
The critical concern here extends beyond browsers. Any software embedding the Skia library that has not yet received the corresponding patch remains in scope. Security teams must audit their asset inventory for Skia-dependent software beyond just Chrome.
CVE-2026-3910 — Inappropriate Implementation in V8
This vulnerability affects V8, Chrome’s JavaScript and WebAssembly execution engine. An inappropriate implementation flaw allows a remote attacker to execute arbitrary code within the Chrome sandbox via a crafted HTML page. V8 vulnerabilities are particularly high-value in exploit development because they offer a remote code execution path with nothing more than a webpage as the delivery mechanism — making them ideal for malvertising, phishing, and watering hole campaigns.
When both CISA and Google confirm active exploitation of a V8 bug, it means a working exploit chain is already in use by threat actors in the real world.
Discovery & Patch Status
Both vulnerabilities were reported internally by Google on March 10, 2026. The stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux. Microsoft followed with Edge version 126.0.2592.68 on March 12, 2026, covering Chromium-based exposure in enterprise environments.
CISA Remediation Deadline
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate both vulnerabilities by March 27, 2026. While BOD 22-01 applies directly to federal agencies, CISA strongly urges all organizations to prioritize KEV-listed vulnerabilities for immediate remediation.
What Organizations Should Do Now
- Push the Chrome update to all endpoints immediately — do not wait for scheduled patch windows
- Validate Chromium-based browser versions across the environment (Edge, Opera, Brave, etc.)
- Audit software inventory for Skia library dependencies beyond browsers
- Review endpoint telemetry for any anomalous browser process behavior in the March 10–14 timeframe
- Disable or restrict access to untrusted web content for high-risk user segments until patch confirmation is complete
Chrome zero-days confirmed in KEV require incident-response velocity — not patch-cycle velocity.
Stay tuned to TheCyberThrone for continued KEV tracking and vulnerability intelligence.
