First published 19 March 2026
CVSS:3.1: 9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A security vulnerability has been found in Chromium, a web browser used in IGEL OS. This affects the following product versions:
-
IGEL OS 12
-
IGEL OS 11
Details
A critical heap buffer overflow (CVE-2026-3913) has been found in Chromium’s implementation of the Web Modeling Language (WebML). It can be exploited via a crafted HTML page. The WebML component also suffers from an integer overflow (CVE-2026-3914, high), a further heap buffer overflow (CVE-2026-3915, high), and an out-of-bounds memory access (CVE-2026-3920, high).
The 2D graphics library Skia is affected by an out-of-bounds write (CVE-2026-3909, high). Google reports that this vulnerability is being exploited in the wild.
Other issues rated high include an out-of-bounds read in Web Speech (CVE-2026-3916), a use-after-free in Agents (CVE-2026-3917), and another use-after-free in WebMCP (High CVE-2026-3918). A full list of vulnerabilities is available in the referenced blog posts from the Chrome Releases team.
Update Instructions
-
OS 12: Update to the Chromium app in version 146.0.7680.80 or newer when available from the IGEL App Portal.
-
OS 11: Update to IGEL OS 11.11.130 or newer when available.
References
-
Chrome Releases Blog: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
-
Chrome Releases Blog: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html