Skip to main content

Chromium Based Zero Days

Page 1

Table of Contents

Chrome Zero-Days TA

Overview and Analysis

Taylor Alvarez

I. Introduction

On 13th March, Google pushed out an emergency security patch to address a pair of critical zeroday vulnerabilities used by attackers to actively exploit the Google Chrome web browser. CVE2026-3909 and CVE-2026-3910 both carry a high severity CVSS score of 8.8 (a standardized way to measure vulnerabilities’ severity). Both have been confirmed and recognized by Google and Cybersecurity and Infrastructure Security Agency (CISA).

Due to the nature of these flaws existing within the foundation of Chromium code base, that caused these vulnerabilities to be exploited, the attack surface extends beyond Google Chrome. Any browser or application utilizing the Chromium engine is affected, common examples include:

• Brave

• Opera

• Vivaldi

• Microsoft Edge

The vulnerabilities target two distinct core components:

• CVE-2026-3909 (Skia Out-of-Bounds Write): An out-of-bounds memory write vulnerability in Skia 2D graphics library, allowing an attacker to remotely corrupt memory leading to browsers crashing or further exploited

• CVE-2026-3910 (Inappropriate implementation in V8): A severe critical code injection and memory buffer vulnerability within the V8 JavaScript engine, allowing a remote attacker to execute arbitrary code.

Since these attacks only require a simple click from a victim or to visit a malicious webpage, the risk is immediate; users are urged to update their browsers to mitigate any potential threats.

II. Technical Analysis

Both of these zero-day vulnerabilities target the renderer process, a sandboxed environment responsible for parsing HTML, executing JavaScript, and drawing visual elements on the screen. Since the renderer handles a lot of untrusted data on the web, it is a primary and common target for browser exploitation.

To understand the severity of CVE-2026-3909 and CVE-2026-3910, it is important to look at how the foundational architecture of the Chromium engine manages untrusted web content.

CVE-2026-3909:

Skia Out-of-Bounds (OOB) Write: Skia is a foundational open source 2D graphics library used by Chromium. It renders all visual elements on a webpage: SVG (Scalable Vector Graphics) paths, HTML elements, CSS borders and web fonts.

• The Vulnerability: An Out-of-Bounds (OOB) write occurs when a program writes data past the intended boundary of an allocated memory buffer. In the case of CVE-2026-3909, a logical flaw in how Skia calculates the memory requirements for specific, complex graphic rendering tasks (likely related to path stroking, matrix transformations, or clipping bounds) results in the allocation of a heap buffer that is too small for the resulting data.

• An attacker cannot simply crash the browser; they must control the crash to hijack the system. To exploit this Skia flaw, an attacker could use JavaScript to meticulously arrange the browser's memory layout, also known as “heap grooming” technique. By precisely positioning specific data structures adjacent to the vulnerable Skia buffer, the attacker triggers the OOB to write to overwrite the neighboring data.

• The attacker's goal is to overwrite a function pointer or a C++ virtual table (vtable) pointer. Once the browser attempts to use that corrupted pointer for a subsequent graphic operation, the execution flow is redirected to the attacker's malicious shellcode, granting them control over the renderer process.

CVE-2026-3910

V8 Inappropriate Implementation: V8 is Google’s JavaScript and WebAssembly engine. V8 has a multi-tiered architecture, which relies on an interpreter and “Just-In-Time” optimizing compiler.

• The Vulnerability: As JavaScript runs, TurboFan monitors the code. If a function is executed repeatedly, TurboFan compiles it into highly optimized machine code. To do this

quickly, TurboFan makes strict assumptions (speculative optimization) about the types of variables being used based on past behavior. "Inappropriate implementation" indicates a criticalbugwhereTurboFan'sinternal logic incorrectlymodelstheside-effectsofaspecific JavaScript operation, causing it to drop essential security boundaries (like bounds checks or type checks) in the optimized code.

• By feeding the optimized function an unexpected data type, the attacker intentionally violates TurboFan's assumptions. Since the safety checks were compiled out, the engine experiences "type confusion." For example, the V8 engine might be tricked into treating a raw integer as a memory pointer, or treating a standard array as an array of executable objects.

• Once type confusion is achieved, the attacker uses it to construct an arbitrary memory read and an arbitrary memory write. The attacker can now scan the V8 heap, locate executable memory pages (often utilizing WebAssembly memory allocations, which are marked as Read/Write/Execute), inject their malicious payload, and execute it.

III. Remediation and Mitigation

Since CVE-2026-3909 and CVE-2026-3910 are being actively exploited in the wild and require no user interaction beyond visiting a malicious webpage, organizations must prioritize immediate remediation.

1. Immediate Remediation: Software Updates

The only definitive method to eliminate the risk posed by these vulnerabilities is to update the affected software. Security and IT operations teams should utilize automated patch management systems to push these updates across their respective networks.

• Google Chrome: Verify that all endpoint deployments of Google Chrome are updated to the following versions (or later):

Windows and macOS: Version 146.0.7680.75 or 146.0.7680.76

Linux: Version 146.0.7680.75

• Chromium-Based Browsers: Ensure that all other approved browsers utilizing the Chromium engine (e.g., Microsoft Edge, Brave, Opera, Vivaldi) are updated to their respective vendors' patched versions.

• Electron Applications: Monitor vendor advisories for desktop applications built on the Electron framework (e.g., Slack, Microsoft Teams) and apply updates as they are released, as these applications bundle the vulnerable Chromium components.

2. Threat Detection and Hunting

Security Operations Centers (SOC) should continue to ensure their Endpoint Detection and Response (EDR) platforms are configured to monitor for anomalous behavior originating from browser processes. Specifically, analysts should hunt for:

• Unexpected child processes spawning from chrome.exe or msedge.exe (e.g., command shells, PowerShell, or unknown executables).

• Browser processes attempting to write executable files to disk outside of standard download directories.

• Unexpected network connections initiated by the browser to known Command and Control (C2) infrastructure following a browser crash event.

• Monitor for unexpected chrome.exe crashes and Ensure the website or external website is legible.

IV. References

https://nvd.nist.gov/vuln/detail/CVE-2026-3910

https://nvd.nist.gov/vuln/detail/CVE-2026-3909

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html

https://www.sentinelone.com/vulnerability-database/cve-2026-3910/

https://www.chromium.org/Home/chromium-security/

Threat Advisory created by The Cyber Florida Security Operations Center

Contributing Security Analysts: Taylor Alvarez

To learn more about Cyber Florida visit: www.cyberflorida.org

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: and more. Sign up and create your flipbook.