Chrome Zero-Days CVE-2026-3909 and CVE-2026-3910 Hit KEV
Lucas OliveiraResearchSummarize with:
Share
Chrome Zero-Days CVE-2026-3909 and CVE-2026-3910 Hit KEV | 2026
Executive Summary
CVE-2026-3909 and CVE-2026-3910 became an urgent enterprise patching priority on March 13, 2026, when CISA added both Chrome flaws to its Known Exploited Vulnerabilities catalog one day after Google shipped fixes. The bugs affect Skia and V8, two core browser components, and Google has confirmed that exploits exist in the wild. For defenders, this is a live zero-day situation that should move Chrome and Chromium-based browsers to the top of the update queue.
The short version is simple: if your organization treats browser updates like ordinary endpoint maintenance, it is probably moving too slowly. An actively exploited vulnerability in a rendering or JavaScript engine creates a fast path from routine browsing to compromise risk, especially when threat actors can weaponize a crafted HTML page and target large browser fleets before updates are fully deployed.
What happened?
Google released emergency desktop Chrome fixes on March 12, 2026 and said both flaws were already being exploited in the wild. On March 13, 2026, CISA added the two CVEs to KEV and set a remediation due date of March 27, 2026 for federal civilian agencies.
Confirmed facts
- CVE-2026-3909 is an out-of-bounds write in Skia.
- CVE-2026-3910 is an improper restriction of operations within the bounds of a memory buffer in Chromium V8.
- Google says exploits for both flaws exist in the wild.
- Fixed versions include Chrome 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux.
- CISA notes that the impact may extend beyond Chrome to other Chromium-based products.
What remains unclear
- Google has not disclosed exploitation chains, victimology, or attribution.
- Public reporting does not yet show whether the two flaws were chained together in observed attacks.
- There is no public evidence yet tying these specific CVEs to ransomware or a named threat actor campaign.
Why this matters for defenders
1. Browser exploitation still scales fast
Browsers remain one of the clearest paths from untrusted web content to endpoint compromise. An actively exploited exploit in a rendering or scripting component can turn a normal browsing session into a security event with almost no user friction.
2. Chromium exposure is broader than Chrome alone
CISA explicitly warns that these flaws may affect multiple Chromium-based browsers and products. That means patch validation should include Microsoft Edge, Opera, and any other Chromium-dependent software deployed in the environment.
3. KEV changes the prioritization math
Once a flaw lands in KEV, the conversation shifts from "important patch" to confirmed active-exploitation exposure. Even outside the U.S. federal space, KEV is high-value threat intelligence because it signals real-world attacker use, not theoretical risk.
Technical breakdown
CVE-2026-3909: Skia out-of-bounds write
Google and CISA describe CVE-2026-3909 as an out-of-bounds write in the Skia 2D graphics library. A crafted HTML page could trigger out-of-bounds memory access during content rendering. In practice, flaws in this class can lead to browser instability, memory corruption, and a foothold for more advanced exploitation.
CVE-2026-3910: V8 memory-boundary issue
CVE-2026-3910 affects the V8 JavaScript and WebAssembly engine. Public descriptions indicate a remote attacker may be able to execute arbitrary code inside a sandbox through a crafted HTML page. Sandboxed code execution is not the same as full host compromise, but it is still a serious step in a browser exploitation chain and may be paired with additional bugs.
Patch versions
Organizations should update to:
- Windows / macOS: Chrome 146.0.7680.75/76
- Linux: Chrome 146.0.7680.75
If you manage Chromium-based browsers through enterprise packaging, confirm whether downstream vendor builds have already incorporated the upstream fixes.
Timeline
| Date | Event | Status |
|---|---|---|
| 2026-03-10 | Google discovered and reported both flaws internally | ⚠️ Initial discovery |
| 2026-03-12 | Google released desktop Chrome updates and acknowledged in-the-wild exploitation | ✅ Patch available |
| 2026-03-13 | CISA added both CVEs to KEV | 📢 KEV listing |
| 2026-03-27 | CISA remediation due date for FCEB agencies | 🔴 Patch deadline |
Indicators and detection
Security teams should look for behavior consistent with browser exploitation or rapid browser process abuse, especially on endpoints that lagged updates.
Priority data sources
- EDR telemetry for unusual browser child processes or crashes followed by suspicious execution.
- Browser management / patch telemetry to identify systems still below the fixed versions.
- Proxy and DNS logs for suspicious domains tied to lure pages or exploit delivery infrastructure.
- Incident response notes for clusters of unexplained browser instability or browser-spawned execution.
Example Splunk hunt
splindex=edr OR index=sysmon (process_name=chrome.exe OR process_name=msedge.exe OR process_name=chrome) (parent_process_name=chrome.exe OR parent_process_name=msedge.exe OR parent_process_name=chrome) (process_name=powershell.exe OR process_name=cmd.exe OR process_name=wscript.exe OR process_name=bash) | stats count min(_time) as firstSeen max(_time) as lastSeen by host, user, parent_process_name, process_name, command_line
This is an example pattern, not a signature for these CVEs specifically. The goal is to identify suspicious child-process behavior originating from browser contexts that may warrant deeper review.
Containment and remediation checklist
🔴 Immediate containment (0–24h)
- Push fixed Chrome builds to all managed endpoints.
- Identify unmanaged or BYOD systems still running older browser versions.
- Review Chromium-based browsers beyond Chrome and confirm vendor patch availability.
- Prioritize high-risk users who browse untrusted content or hold privileged roles.
- Alert the SOC that active browser exploitation is in scope for triage.
🟠 Hardening (24–72h)
- Confirm browser auto-update is not blocked by policy drift or packaging lag.
- Tighten application control around suspicious browser-spawned child processes.
- Review browser extension hygiene and remove unnecessary extensions from sensitive groups.
- Validate web filtering and sandboxing controls on high-risk browsing paths.
- Feed the KEV update into patch dashboards and executive risk reporting.
🟡 Longer-term controls (1–4 weeks)
- Shorten browser patch SLAs compared with general workstation patch cycles.
- Use ring-based deployment to accelerate emergency browser updates safely.
- Expand detections for browser-to-script-host execution chains.
- Include browser exploit scenarios in incident response playbooks.
- Track browser fleet health as a standing operational metric.
Strategic analysis
This is a good example of how little time defenders may have between vendor disclosure and formal confirmation of active exploitation. There are still few public technical details, but the sequence itself matters: Google acknowledged live exploitation, CISA reinforced the signal within a day, and the issue immediately became an exposure-management priority.
The wider lesson is that browser security should be treated as operational threat intelligence, not background IT hygiene. When an emergency browser release and a KEV listing arrive back-to-back, fast fleet visibility and fast patch deployment matter more than waiting for richer exploit reporting.
What are CVE-2026-3909 and CVE-2026-3910?
They are two high-severity Chrome zero-days affecting the Skia graphics library and the Chromium V8 engine. Google says both have been exploited in the wild.
Why does the CISA KEV listing matter?
KEV is a strong prioritization signal because it reflects evidence of active exploitation. It tells defenders this is not just a theoretical vulnerability.
Are only Chrome users affected?
Not necessarily. CISA notes that these flaws may affect other Chromium-based products, so organizations should review their broader browser fleet.
What should defenders do first?
Patch Chrome immediately, verify Chromium-based browser exposure, and hunt for suspicious browser-driven child-process activity on systems that remained unpatched.
Is there public exploit code?
Not at the time of writing. Google has withheld technical details, which is common while active exploitation is ongoing.
References
- Google Chrome Releases, "Stable Channel Update for Desktop," March 12, 2026.
- CISA, "CISA Adds Two Known Exploited Vulnerabilities to Catalog," March 13, 2026.
- CISA Known Exploited Vulnerabilities Catalog entries for CVE-2026-3909 and CVE-2026-3910, accessed March 14, 2026.
- BleepingComputer, "Google fixes two new Chrome zero-days exploited in attacks," March 13, 2026.
Published: 2026-03-14 Author: Invaders Cybersecurity Classification: Public / TLP:CLEAR Reading Time: 5 minutes
Written by
Lucas Oliveira
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
You Might Also Like
More in vulnerability →
vulnerabilityCVE-2026-20182 makes Cisco SD-WAN controllers an urgent KEV priority
CVE-2026-20182 makes Cisco SD-WAN controllers an urgent KEV priority CVE-2026-20182 is not landing as a routine patch bulletin. Cisco says the flaw is already b...
vulnerabilityExim BDAT flaw makes mail servers urgent RCE patch targets
Exim BDAT flaw makes mail servers urgent RCE patch targets CVE-2026-45185 is the kind of bug that forces defenders to remember an old lesson: email infrastructu...
vulnerabilityDirty Frag Linux kernel zero-day gives local users a fast path to root
Dirty Frag Linux kernel zero-day gives local users a fast path to root Dirty Frag is the kind of Linux bug defenders worry about because it turns a limited foot...