External risk intelligence

Google Chrome could allow an external attacker to run malicious code via a web page.

CVE advisoryKnown Exploit

CVE-2026-3909

An external attacker can compromise a computer and access sensitive data by tricking a user into visiting a malicious website in Google Chrome. This could allow them to run unauthorized code, leading to a full system compromise.

1Halo Surface Signal

Out-of-bounds Write

Google Chrome

before 146.0.7680.80

External exposure likelihood

Halo Surface Signal score for CVE-2026-3909

The vulnerability affects a client-side browser application. It is triggered by a user visiting a malicious website, rather than by an internet-facing service, listener, or gateway exposed for direct remote connections. As a client-side software component, the rendering engine does not function as an externally reachable network service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Google Chrome's Skia component could allow a remote attacker to execute code by tricking users into visiting a malicious web page. This issue impacts the ability to securely process web content, making it a significant concern.

  • High impact: Affects core browser functionality.
  • Remote exploitation: Requires only a malicious web page.
  • Widespread: Impacts Chrome users across various operating systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this flaw by tricking a user into visiting a specially crafted HTML page. This page will trigger an out-of-bounds write vulnerability within the Skia graphics library used by Google Chrome. Successful exploitation could allow the attacker to gain control over memory regions, potentially leading to code execution or denial of service.

  • Requires user interaction.
  • Targets a web browser component.
  • Exploited via a malicious webpage.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Skia, a graphics library used by Chrome, presents a notable threat due to its potential for remote attackers to achieve out-of-bounds memory access via crafted web content. While the vulnerability is classified as high severity, its exploitation often requires user interaction, such as visiting a malicious website.

  • KEV listed.
  • Exploitation requires user interaction.
  • Patching is actively managed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Google Chrome to version 146.0.7680.80 immediately, as this vulnerability is actively exploited. If immediate patching is not feasible, block access to or isolate Chrome instances that may encounter malicious HTML content.

  • Update Chrome to 146.0.7680.80.
  • Block or isolate affected systems.
  • Monitor for exploitation attempts.

Frequently asked questions

What is an out-of-bounds write vulnerability in Google Chrome's Skia component?

An out-of-bounds write vulnerability in Skia, a graphics component used by Google Chrome, allows a remote attacker to access memory outside of the intended buffer. This can be triggered by a user visiting a specially crafted HTML page. This weakness is classified under CWE-787.

How can an attacker exploit the CVE-2026-3909 vulnerability?

An attacker can exploit CVE-2026-3909 by presenting a user with a malicious HTML page. When a user visits this page, it triggers an out-of-bounds write in the Skia library. This could lead to unauthorized memory access, potentially allowing the attacker to execute code or cause a denial of service.

What is the scope of the vulnerability and how is it relevant?

The vulnerability affects Google Chrome, potentially impacting users across various operating systems including Apple macOS, Linux, and Microsoft Windows, specifically in Chrome versions prior to 146.0.7680.75. Its relevance is heightened as it is listed on the Known Exploited Vulnerabilities (KEV) catalog.

What is the recommended response to the Halo Surface Signal for CVE-2026-3909?

The Halo Surface Signal indicates a 'Very unlikely' threat score because the vulnerability affects a client-side browser application, requiring a user to visit a malicious website. It does not involve an internet-facing service directly exposed for remote connections.

What immediate actions should be taken to address this vulnerability?

It is critical to immediately update Google Chrome to version 146.0.7680.80 to mitigate this vulnerability. If immediate patching is not possible, consider blocking access to or isolating Chrome instances that might encounter malicious HTML content, and continuously monitor for any signs of exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified