Skip to content
.ca
sign in
3 minhigh

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added two actively exploited vulnerabilities affecting Google Skia (CVE-2026-3909) and Google Chromium V8 (CVE-2026-3910) to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate remediation across all organizations.

Sens:ImmediateConf:highAnalyzed:2026-03-13reports

Authors: CISA

CISACVE-2026-3909ChromiumCVE-2026-3910KEV

Source:CISA

Key Takeaways

  • CISA added CVE-2026-3909 and CVE-2026-3910 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • Both vulnerabilities are actively exploited in the wild and pose significant risks.
  • CVE-2026-3909 is an Out-of-Bounds Write vulnerability in Google Skia.
  • CVE-2026-3910 is an unspecified vulnerability in Google Chromium V8.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities under BOD 22-01.

Affected Systems

  • Google Skia
  • Google Chromium V8

Vulnerabilities (CVEs)

  • CVE-2026-3909
  • CVE-2026-3910

Attack Chain

Malicious cyber actors are actively exploiting an out-of-bounds write vulnerability in Google Skia (CVE-2026-3909) and an unspecified vulnerability in Google Chromium V8 (CVE-2026-3910). Specific exploitation chains, payloads, or post-exploitation activities are not detailed in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert only mentions the vulnerabilities; no specific malware, processes, or post-exploitation TTPs are provided for EDR to detect. Network Visibility: Low — No network indicators, exploit payloads, or C2 patterns are provided in the text. Detection Difficulty: Hard — Without specific exploit payloads or post-exploitation indicators, detection relies entirely on identifying vulnerable software versions rather than active exploitation.

Required Log Sources

  • Vulnerability Management Scanners
  • Software Inventory Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for outdated versions of Google Chrome or Chromium-based browsers executing unexpected child processes, which may indicate successful exploitation of V8 or Skia vulnerabilities.Endpoint Process Execution (Event ID 4688, Sysmon Event ID 1)ExecutionMedium

Control Gaps

  • Lack of automated browser updates
  • Delayed vulnerability patching

Key Behavioral Indicators

  • Unexpected child processes spawned by Chromium-based browsers

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Patch and update all Google Chrome and Chromium-based browsers to the latest versions immediately.
  • Identify all assets running vulnerable versions of Google Skia or Chromium V8.

Infrastructure Hardening

  • Implement automated patch management for client-side applications and browsers.

User Protection

  • Ensure users restart their browsers to apply pending updates.

Security Awareness

  • Educate users on the importance of applying browser updates promptly.

MITRE ATT&CK Mapping

  • T1189 - Drive-by Compromise
  • T1203 - Exploitation for Client Execution

Related