Browser engines are the most widely deployed attack surface in the world — and in 2026, they remain stubbornly difficult to harden. Google's emergency update for Chrome 146 patched two zero-days with confirmed in-the-wild exploitation: CVE-2026-3909, an out-of-bounds write in the Skia graphics library, and CVE-2026-3910, a type-confusion bug in V8's Maglev JIT compiler. Both carry a CVSS of 8.8. Both were discovered by Google's own Threat Analysis Group, the unit that tracks nation-state and advanced persistent threat actors.

We covered the immediate patch advisory earlier (Dos Zero-Days en Chrome con Exploits Activos). This piece takes the 2026-roundup angle: why do Skia and V8 keep producing critical vulnerabilities, what does the broader browser engine attack surface look like this year, and what defenses reduce real exposure for organizations?

The Two Vulnerabilities: What They Are and Why They're Dangerous

CVE-2026-3909 — Skia out-of-bounds write (CVSS 8.8). Skia is the 2D graphics engine Chrome uses to render everything on screen — text, images, SVG, CSS visual effects. An out-of-bounds write in Skia means an attacker can craft a malicious page (or an ad served through a legitimate site) that triggers the renderer to write data past the end of an allocated buffer. The write lands in adjacent memory, potentially overwriting control structures that redirect code execution. This class of bug — CWE-787 — is the single most common vulnerability type in the 2025 and 2026 CWE Top 25, and its persistence in graphics-heavy codebases like Skia reflects the fundamental difficulty of safe bounds-checking at high rendering throughput.