Threat Analysis Report March 31, 2025
Chrome Zero-Days TA Overview and Analysis Taylor Alvarez
Table of Contents I. Introduction ..................................................................................................................................1 II. Technical Analysis ......................................................................................................................1 III. Remediation and Mitigation ......................................................................................................3 IV. References..................................................................................................................................4
I. Introduction On 13th March, Google pushed out an emergency security patch to address a pair of critical zeroday vulnerabilities used by attackers to actively exploit the Google Chrome web browser. CVE2026-3909 and CVE-2026-3910 both carry a high severity CVSS score of 8.8 (a standardized way to measure vulnerabilities’ severity). Both have been confirmed and recognized by Google and Cybersecurity and Infrastructure Security Agency (CISA). Due to the nature of these flaws existing within the foundation of Chromium code base, that caused these vulnerabilities to be exploited, the attack surface extends beyond Google Chrome. Any browser or application utilizing the Chromium engine is affected, common examples include: • • • •
Brave Opera Vivaldi Microsoft Edge
The vulnerabilities target two distinct core components: •
•
CVE-2026-3909 (Skia Out-of-Bounds Write): An out-of-bounds memory write vulnerability in Skia 2D graphics library, allowing an attacker to remotely corrupt memory leading to browsers crashing or further exploited CVE-2026-3910 (Inappropriate implementation in V8): A severe critical code injection and memory buffer vulnerability within the V8 JavaScript engine, allowing a remote attacker to execute arbitrary code.