# CISA Adds Two Actively Exploited Google Chrome Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency has expanded its Known Exploited Vulnerabilities catalog with two new Google Chrome flaws — one targeting the Skia graphics engine and another in the V8 JavaScript runtime — amid confirmed in-the-wild exploitation.

Background and Context

CISA on Wednesday added CVE-2026-3909 and CVE-2026-3910 to its Known Exploited Vulnerabilities (KEV) Catalog, a curated list that serves as the authoritative reference for vulnerabilities confirmed to be under active exploitation. The addition triggers mandatory remediation timelines for all Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01, though CISA strongly urges all organizations — public and private — to prioritize patching these flaws immediately.

The two vulnerabilities target core components of the Google Chromium browser stack: Skia, the open-source 2D graphics library responsible for rendering virtually everything a user sees on screen, and V8, the high-performance JavaScript and WebAssembly engine that powers Chrome's ability to execute code from the web. Both components sit at the intersection of high complexity and high exposure — they process untrusted input from every website a user visits, making them perennial targets for sophisticated attackers seeking reliable browser exploitation chains.

The KEV Catalog has grown into one of the most operationally significant vulnerability databases in the industry since its launch in November 2021. Unlike the broader CVE database or the National Vulnerability Database (NVD), which catalog vulnerabilities based on disclosure, the KEV list reflects a higher evidentiary bar: confirmed exploitation in the wild. That distinction makes each addition a signal that threat actors have already weaponized the flaw — and that the window for defensive action is narrowing.

Technical Details

### CVE-2026-3909 — Google Skia Out-of-Bounds Write

The first vulnerability is an out-of-bounds write in Google Skia, the graphics rendering library embedded in Chrome, Android, Firefox, Flutter, and numerous other platforms. Out-of-bounds write vulnerabilities occur when a program writes data beyond the boundaries of an allocated memory buffer, potentially corrupting adjacent memory structures. In the context of a browser graphics engine, this class of bug can be triggered by specially crafted image files, SVG content, CSS rendering operations, or WebGL shaders — any of which can be delivered through a malicious or compromised website.

Skia's attack surface is notably broad. Because the library handles font rasterization, image decoding, path rendering, and GPU-accelerated compositing, a single vulnerability can often be reached through multiple code paths, complicating efforts to deploy mitigations short of a full patch. Out-of-bounds writes in Skia have historically been leveraged to achieve arbitrary code execution within the renderer process, which attackers can then pair with a sandbox escape to gain full system-level access.

### CVE-2026-3910 — Google Chromium V8 Unspecified Vulnerability

The second vulnerability targets V8, Chromium's JavaScript engine. CISA's listing describes it as an "unspecified vulnerability," a designation that typically indicates Google is withholding full technical details to limit the window during which attackers can reverse-engineer the patch and develop additional exploits — a standard practice for bugs already under active exploitation.

V8 vulnerabilities are among the most prized in the exploit marketplace. The engine's just-in-time (JIT) compilation pipeline — which dynamically translates JavaScript into optimized machine code at runtime — introduces a class of bugs related to type confusion, incorrect optimization assumptions, and speculative compilation errors. These bugs frequently yield reliable, high-quality exploitation primitives that can be triggered simply by having a victim visit a web page containing malicious JavaScript. No user interaction beyond navigation is required.

The pairing of a Skia rendering bug with a V8 engine flaw is particularly concerning. Browser exploit chains frequently combine a renderer vulnerability (for initial code execution within the sandboxed tab process) with a second bug to escape Chrome's multi-process sandbox. While CISA has not confirmed these two CVEs are being used together as a chain, the simultaneous addition to the KEV Catalog will draw scrutiny from threat intelligence teams investigating potential linkage.

Real-World Impact

The implications extend well beyond Google Chrome. Chromium's open-source engine underpins Microsoft Edge, Brave, Opera, Vivaldi, and dozens of other browsers, as well as Electron-based desktop applications including Slack, Visual Studio Code, Discord, and Microsoft Teams. Skia is independently embedded in Android's rendering stack and Mozilla Firefox. A vulnerability in either component can ripple across the entire software ecosystem.

For enterprises, browser-based vulnerabilities represent one of the most direct paths an attacker can take from the internet to an endpoint. Unlike server-side flaws that require exposed services, browser exploits can be delivered through spear-phishing emails, malicious advertisements (malvertising), compromised legitimate websites (watering hole attacks), or even through embedded content in trusted collaboration platforms. The attack requires nothing more than a click — or in some cases, a page load.

Organizations running unpatched browsers across their fleet face the risk of initial access, credential theft, lateral movement, and data exfiltration — all potentially initiated from a single browsing session.

Threat Actor Context

CISA has not attributed the observed exploitation to a specific threat actor or group. However, browser zero-days of this caliber are historically associated with advanced persistent threat (APT) groups and commercial surveillance vendors (CSVs). Google's Threat Analysis Group (TAG) has repeatedly documented the use of Chrome zero-day chains by state-sponsored actors targeting journalists, dissidents, opposition politicians, and government officials, as well as by spyware vendors such as those in the commercial surveillance ecosystem.

The exploit broker market continues to place Chrome full-chain exploits among the highest-value capabilities, with public pricing tiers from known brokers exceeding $500,000 for a Chrome remote code execution chain with sandbox escape. The operational value of these exploits to nation-state intelligence services and law enforcement agencies ensures a persistent demand signal that incentivizes continued research into Chromium's attack surface.

Defensive Recommendations

Immediate actions organizations should take:

  • Patch immediately. Update Google Chrome and all Chromium-based browsers to the latest stable release. Verify updates have propagated across all managed endpoints. Google's Chrome update mechanism is automatic, but enterprise-managed deployments often lag due to policy-controlled rollout schedules.
  • Audit Chromium-derived software. Identify all Electron-based applications, embedded Chromium WebViews, and other software in your environment that bundles Skia or V8. These may require separate updates from their respective vendors.
  • Enforce browser isolation. Organizations with browser isolation solutions should verify that high-risk browsing activity is being routed through remote browser isolation (RBI) infrastructure, which can contain exploitation attempts within disposable cloud containers.
  • Monitor for exploitation indicators. Endpoint detection and response (EDR) platforms should be configured to alert on anomalous child process creation from browser processes, unexpected memory allocation patterns, and renderer process crashes — all of which can signal attempted exploitation.
  • Restrict unnecessary browser features. Where operationally feasible, consider disabling JIT compilation in V8 via Chrome's enterprise policy (--js-flags=--jitless), which eliminates an entire class of JIT-related exploitation techniques at the cost of JavaScript performance.
  • Review BOD 22-01 compliance. Federal agencies must remediate KEV-listed vulnerabilities within the timeframe specified by CISA. Private organizations should adopt the KEV Catalog as a prioritization input for their own vulnerability management programs.

    • Industry Response

    The security community's reaction has been measured but attentive. Browser security researchers note that Chrome's multi-layered defense architecture — including site isolation, the V8 sandbox, and MiraclePtr memory protections — has progressively raised the cost of full exploitation chains. However, the continued appearance of Chrome zero-days on the KEV list underscores that these defenses, while effective at raising the bar, have not eliminated the threat.

    Google has invested heavily in structural mitigations, including the ongoing migration of critical components to memory-safe languages like Rust, expanded fuzzing infrastructure, and the V8 sandbox hardening project. The company's vulnerability reward program offers up to $250,000 for a full Chrome sandbox escape chain, reflecting the seriousness with which it treats these attack vectors.

    CISA's KEV Catalog continues to serve as a forcing function for patch prioritization across the federal government and increasingly across the private sector. With over 1,200 entries since its inception, the catalog has become a de facto standard for separating theoretical risk from demonstrated threat — and this week's additions are a reminder that the browser remains one of the most contested battlegrounds in cybersecurity.

    ---

    **