CISA has added a Google Skia out-of-bounds write vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation by late March 2026.

What Is It

This security issue is identified as CVE-2026-3909 and classified under CWE-787. The vulnerability exists within Google Skia and allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page. It is formally recognized as a Google Skia Out-of-Bounds Write Vulnerability.

Why It Matters

Inclusion in the CISA Known Exploited Vulnerabilities catalog indicates significant risk to critical infrastructure. Because this vulnerability affects a common open-source component, third-party library, or protocol used by different products, the impact extends beyond a single application. Organizations must prioritize this due to the potential for remote exploitation through web-based vectors. Please check with specific vendors for information on patching status as the scope may vary across implementations.

What's Vulnerable

The affected vendor project is Google, specifically the Skia product. This vulnerability impacts Google Chrome and ChromeOS, Android, Flutter, and possibly other products. Users should check with specific vendors for information on patching status as the scope may vary across implementations.

Patch Status

CISA requires a response by 2026-03-27. The required action is to apply mitigations per vendor instructions or follow applicable BOD 22-01 guidance for cloud services. If mitigations are unavailable, organizations must discontinue use of the product. Known ransomware campaign use is currently listed as Unknown.

Sources