#zero-day-vulnerabilities

#zero-day-vulnerabilities

CVE-2026-3909 is an out-of-bounds write flaw in Skia, the graphics library Chrome uses to render web content and parts of its user interface. Memory corruption bugs like this can sometimes be abused by attackers to crash applications or run their own code if successfully exploited.

Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild. CVE-2026-3909 is described as an out-of-bounds write defect in the Skia graphics library. It could be triggered via malicious HTML pages to corrupt memory, which could lead to arbitrary code execution or crashes.

This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).

How this proliferation occurred is unclear, but suggests an active market for 'second hand' zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.

Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities. [But] over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.

Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware attack.

CVE-2025-53771 is a SharePoint Server spoofing vulnerability allowing attackers to impersonate trusted users or resources, while CVE-2025-53770 permits remote code execution.