VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-13vg-hewg-efaa

Essentials
Severities (13)
References (6)
Severity details (5)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-13vg-hewg-efaa
Aliases	CVE-2026-3909
Summary	chromium-browser: Out of bounds write in Skia
Status	Published
Exploitability	2.0
Weighted Severity	7.9
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-787

Out-of-bounds Write

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3909.json
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
epss	0.00288	https://api.first.org/data/v1/epss?cve=CVE-2026-3909
cvssv3.1	8.8	https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
ssvc	Attend	https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
cvssv3.1	8.8	https://issues.chromium.org/issues/491421267
ssvc	Attend	https://issues.chromium.org/issues/491421267

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3909.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-3909
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3909
2447195		https://bugzilla.redhat.com/show_bug.cgi?id=2447195
491421267		https://issues.chromium.org/issues/491421267
stable-channel-update-for-desktop_13.html		https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

Data source	KEV
Date added	March 13, 2026
Description	Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
Required action	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date	March 27, 2026
Note	This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3909
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3909.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-13T16:47:27Z/ Found at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://issues.chromium.org/issues/491421267

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-13T16:47:27Z/ Found at https://issues.chromium.org/issues/491421267

Exploit Prediction Scoring System (EPSS)

Percentile	0.49894
EPSS Score	0.00264
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:30:30.907865+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-3909.json	38.0.0