ISN 2026-06: Chromium Vulnerabilities Exploited in the Wild

First published 19 March 2026

CVSS:3.1: 9.8 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been found in Chromium, a web browser used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

A critical heap buffer overflow (CVE-2026-3913) has been found in Chromium’s implementation of the Web Modeling Language (WebML). It can be exploited via a crafted HTML page. The WebML component also suffers from an integer overflow (CVE-2026-3914, high), a further heap buffer overflow (CVE-2026-3915, high), and an out-of-bounds memory access (CVE-2026-3920, high).

The 2D graphics library Skia is affected by an out-of-bounds write (CVE-2026-3909, high). Google reports that this vulnerability is being exploited in the wild.

Other issues rated high include an out-of-bounds read in Web Speech (CVE-2026-3916), a use-after-free in Agents (CVE-2026-3917), and another use-after-free in WebMCP (High CVE-2026-3918). A full list of vulnerabilities is available in the referenced blog posts from the Chrome Releases team.

Update Instructions

• OS 12: Update to the Chromium app in version 146.0.7680.80 or newer when available from the IGEL App Portal.

• OS 11: Update to IGEL OS 11.11.130 or newer when available.

References

• Chrome Releases Blog: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

• Chrome Releases Blog: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html