Executive Summary
On March 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia, and CVE-2026-3910, an unspecified vulnerability in Google Chromium's V8 engine. These vulnerabilities have been actively exploited, posing significant risks to federal enterprises. CISA's Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by the specified due date to protect against active threats. Although BOD 22-01 applies specifically to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practices. The agency continues to add vulnerabilities to the catalog that meet specified criteria, emphasizing the importance of proactive cybersecurity measures.
Why This Matters Now
The addition of these vulnerabilities to the KEV Catalog underscores the ongoing threat posed by actively exploited vulnerabilities in widely used software components. Organizations must act swiftly to remediate these issues to prevent potential breaches and maintain the integrity of their systems.
Attack Path Analysis
An attacker exploits a vulnerability in the Google Skia graphics library (CVE-2026-3909) to achieve initial compromise by executing arbitrary code within the browser. They then escalate privileges by exploiting a flaw in the Chromium V8 engine (CVE-2026-3910) to gain higher-level access. Utilizing these elevated privileges, the attacker moves laterally within the network, targeting other systems. They establish command and control channels to maintain persistent access and exfiltrate sensitive data. Finally, the attacker impacts the organization by deploying ransomware, encrypting critical files, and demanding payment.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits CVE-2026-3909 in the Google Skia graphics library to execute arbitrary code within the browser.
Related CVEs
CVE-2026-3909
CVSS 8.8An out-of-bounds write vulnerability in Google Skia allows remote attackers to execute arbitrary code via crafted input.
Affected Products:
Google Skia – < 2026.3.1
Exploit Status:
exploited in the wildCVE-2026-3910
CVSS 8.8An unspecified vulnerability in Google Chromium V8 allows remote attackers to execute arbitrary code via crafted JavaScript code.
Affected Products:
Google Chromium V8 – < 2026.3.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Process Injection
Drive-by Compromise
Exploitation for Defense Evasion
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for Google Chromium/Skia vulnerabilities with active exploitation targeting government infrastructure and sensitive data.
Financial Services
Banking systems using Chromium-based browsers vulnerable to out-of-bounds write attacks, requiring immediate patching to prevent data exfiltration and regulatory compliance violations.
Health Care / Life Sciences
Healthcare organizations must prioritize Chromium vulnerability management to protect patient data, maintain HIPAA compliance, and prevent lateral movement through clinical systems.
Computer Software/Engineering
Software companies face heightened risk from V8 engine vulnerabilities affecting web applications, requiring enhanced zero trust segmentation and threat detection capabilities.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2026-3909https://nvd.nist.gov/vuln/detail/CVE-2026-3909Verified
- NVD - CVE-2026-3910https://nvd.nist.gov/vuln/detail/CVE-2026-3910Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation of browser vulnerabilities, it could likely limit the attacker's ability to escalate privileges or move laterally within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to leverage elevated privileges to access other sensitive resources within the cloud environment.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely reduce the attacker's ability to move laterally by enforcing strict communication policies between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control communications within the cloud environment.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent the deployment of ransomware, it could likely limit the attacker's ability to propagate the ransomware across the cloud environment, thereby reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Web Browsing
- Document Rendering
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data through arbitrary code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts of known vulnerabilities.
- • Enforce zero trust segmentation to limit lateral movement within the network.
- • Deploy egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize threat detection and anomaly response systems to identify and respond to suspicious activities promptly.
- • Ensure all systems and applications are regularly updated to patch known vulnerabilities and reduce the attack surface.
