CISA Warns of Actively Exploited Chrome 0-Day Flaws

The Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent warning regarding two critical zero-day vulnerabilities impacting Google Chrome and its underlying technologies. Both flaws are currently being exploited in real-world attacks, leading CISA to include them in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been directed to fix these issues by March 27, 2026, while private organizations are strongly encouraged to act without delay.

The first vulnerability, identified as CVE-2026-3909, exists within Google’s Skia graphics engine. Skia is a widely used open-source 2D graphics library responsible for rendering visual elements such as images and text across various platforms. This flaw involves an out-of-bounds write issue, which can allow attackers to corrupt memory by luring users to visit a specially crafted malicious webpage. If successfully exploited, it could result in system crashes or even arbitrary code execution.

The risk associated with this vulnerability is particularly high due to Skia’s broad adoption. In addition to Google Chrome, it is used in ChromeOS, Android devices, Flutter-based applications, and other software that rely on Skia for rendering. This widespread usage significantly expands the potential attack surface, making it a serious concern for both enterprises and individual users.

The second vulnerability, CVE-2026-3910, affects the Chromium V8 JavaScript engine, a core component responsible for processing web scripts and dynamic content. This flaw stems from improper memory handling, allowing attackers to manipulate memory buffers. Like the Skia issue, exploitation requires users to visit a malicious webpage. Once triggered, attackers can execute arbitrary code within the browser’s sandbox environment. Although sandboxing offers some level of protection, attackers often combine such vulnerabilities with additional exploits to gain deeper system access.

Since Chromium powers several major browsers, including Google Chrome, Microsoft Edge, and Opera, this vulnerability has a wide-reaching impact. While there is no confirmed connection to ransomware attacks yet, such flaws are highly valuable to cybercriminals. They are often used in drive-by download campaigns, where users are compromised simply by visiting infected websites. CISA has emphasized the urgency of patching these vulnerabilities. Organizations should immediately update all affected browsers, apply security patches to ChromeOS and Android systems, and follow vendor guidance where fixes are not yet available. User awareness is also critical, as avoiding suspicious links can reduce exposure to such threats.