CISA adds two Google browser and graphics flaws to KEV catalog after active exploitation
CISA has added CVE-2026-3909 in Google Skia and CVE-2026-3910 in Chromium V8 to the Known Exploited Vulnerabilities catalog, turning a routine patching task into a live exposure-management priority.
What happened
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation: CVE-2026-3909, described as a Google Skia out-of-bounds write vulnerability, and CVE-2026-3910, described as a Google Chromium V8 vulnerability. The agency framed both additions as significant enough to warrant formal remediation under Binding Operational Directive 22-01 for US federal civilian agencies.
That matters because KEV inclusion is not just another advisory milestone. It is CISA’s signal that a vulnerability has moved from patch-management theory into confirmed attacker use.
Why it matters
Browser and browser-adjacent vulnerabilities remain high-value because they sit on heavily exposed execution surfaces that ordinary users touch constantly. Once active exploitation is established, the operational question is no longer whether a flaw looks severe on paper. It is whether exposed systems, lagging endpoints, managed browser fleets, or downstream embedded Chromium deployments are still within reach of attackers.
The pairing here is also notable. Skia and V8 are not obscure components. They sit close to content rendering and script execution, which means exploitation risk can travel through mainstream browsing activity, embedded app views, and other software that inherits Chromium components. For defenders, that makes this kind of KEV update broader than a niche product advisory.
Assessment
This is the kind of KEV entry that should trigger immediate inventory and update validation rather than passive awareness. The most useful defensive response is not just to patch Chrome on primary workstations, but to identify where Chromium-based runtimes, managed enterprise browser channels, kiosk systems, and embedded browser surfaces may lag behind.
The archive value here is less about the two CVE descriptions on their own and more about what they represent: CISA is highlighting active exploitation against core Google browsing components, which is a durable signal about attacker focus and defender exposure.