CVE-2026-3909

Google Skia Out-of-Bounds Write (CVE-2026-3909)

Initial Access Execution Last updated:

Detects exploitation attempts targeting CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia graphics library. Skia is embedded in Chrome and other Google products. Exploitation can lead to arbitrary code execution via crafted web content or malicious files. This vulnerability is confirmed exploited in the wild (CISA KEV).

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Google
Product
Skia

Weakness (CWE)

CWE-787

Timeline

Disclosed
March 13, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-3909 Google Skia Out-of-Bounds Write (CVE-2026-3909)?

Google Skia Out-of-Bounds Write (CVE-2026-3909) (CVE-2026-3909) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Google Skia Out-of-Bounds Write (CVE-2026-3909), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Microsoft Sentinel DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution
Microsoft Sentinel / Defender
kusto 
union DeviceProcessEvents, DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "vivaldi.exe")
| where (ActionType == "ProcessCreated" and FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"))
   or (ActionType in ("NetworkConnectionSuccess", "InboundConnectionAccepted") and RemotePort in (4444, 1337, 8080, 9001))
| extend RiskIndicator = case(
    FileName in~ ("cmd.exe", "powershell.exe"), "ShellSpawnedFromBrowser",
    ActionType == "NetworkConnectionSuccess" and RemotePort in (4444, 1337), "SuspiciousC2Port",
    "GenericSuspicious"
  )
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, RemoteIP, RemotePort, RiskIndicator

Identifies browser processes (Chrome and Chromium-based) spawning unexpected child processes or making suspicious outbound connections — common post-exploitation behaviour following a Skia renderer compromise.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Microsoft Sentinel DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate browser extensions that spawn helper processes
  • Developer workflows invoking CLI tools from browser-triggered scripts
  • Corporate proxy or DLP software that establishes connections on unusual ports from browser processes

Sigma rule & cross-platform mapping

The detection logic for Google Skia Out-of-Bounds Write (CVE-2026-3909) (CVE-2026-3909) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-3909 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-3909

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Browser Spawning Shell (Windows)

    Expected signal: Sysmon Event ID 1 showing cmd.exe with ParentImage containing chrome.exe; Windows Security 4688 process creation log

  2. Test 2Simulate Suspicious Outbound Network Connection from Browser Process (Linux)

    Expected signal: Auditd or Sysmon-for-Linux network connection event showing process named 'chrome' connecting to port 4444

  3. Test 3Simulate Renderer Sandbox Escape via LOLBin Execution (Windows)

    Expected signal: Sysmon Event ID 1 with regsvr32.exe CommandLine containing /i:http and scrobj.dll; Sysmon Event ID 3 network connection from regsvr32.exe

  4. Test 4Skia OOB Write Crash Reproduction (macOS — Lab Only)

    Expected signal: Chrome crash report generated in crash-dumps-dir; macOS Console logs show SIGSEGV or SIGABRT from renderer process

Unlock Pro Content

Get the full detection package for CVE-2026-3909 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections