Exploit for Out-of-bounds Write in Google Chrome CVE-2026-3909

Name: Exploit for Out-of-bounds Write in Google Chrome CVE-2026-3909
Rating: 5 (152 reviews)
2026-04-10 | CVSS 8.8
## https://sploitus.com/exploit?id=FEC11ED3-3153-5DB0-BE13-AB3069AF53D1
# CVE-2026-3909 Chromium Browser PoC

This repository contains a proof-of-concept (PoC) for **CVE-2026-3909** that can be reliably triggered in the Chromium browser.

## Background

The official Skia fix for this vulnerability only included a simplified demonstration test case:

- **Official Demo**: [AtlasOobTest.cpp](https://skia-review.googlesource.com/c/skia/+/1184076/6/tests/AtlasOobTest.cpp)

The official demo was intentionally limited and omitted key triggering conditions.  
This PoC is built upon the official demo and has been modified to trigger the vulnerability reliably within a real Chromium browser environment.

## Patches Included

This PoC consists of modifications to the following files:

### 1. `raster_implementation.cc.patch`
**Path:**
/src/gpu/command_buffer/client/raster_implementation.cc

### 2. `SkChromeRemoteGlyphCache.cpp.patch`
**Path:**
/src/third_party/skia/src/text/gpu/SkChromeRemoteGlyphCache.cpp


## Usage

1. Apply the two patch files to a vulnerable version of Chromium.
2. Open browser `chrome /trigger.html`

## Abort
```
gen/third_party/libc++/src/include/__memory/unique_ptr.h:578: libc++ Hardening assertion __checker_.__in_bounds(std::__to_address(__ptr_), __i) failed: unique_ptr::operator[](index): index out of range
Received signal 6

#0 0x5ee6abc4b669 base::debug::CollectStackTrace() [../../base/debug/stack_trace_posix.cc:1048:7]
#1 0x5ee6abc1674a base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:280:20]
#2 0x5ee6abc166b5 base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:275:28]
#3 0x5ee6abc4aed9 base::debug::(anonymous namespace)::StackDumpSignalHandler() [../../base/debug/stack_trace_posix.cc:483:3]
#4 0x79f1d4a45330 (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4532f)
#5 0x79f1d4a9eb2c pthread_kill
#6 0x79f1d4a4527e gsignal
#7 0x79f1d4a288ff abort
#8 0x5ee6c330842e std::__Cr::__libcpp_verbose_abort()
#9 0x5ee69655008d std::__Cr::unique_ptr<>::operator[]() [gen/third_party/libc++/src/include/__memory/unique_ptr.h:577:5]
#10 0x5ee6ad4ed963 GrDrawOpAtlas::hasID() [../../third_party/skia/src/gpu/ganesh/GrDrawOpAtlas.h:130:35]
#11 0x5ee6ad577e0b GrAtlasManager::hasGlyph() [../../third_party/skia/src/gpu/ganesh/text/GrAtlasManager.cpp:54:36]        // Abort in here
#12 0x5ee6ad5790b7 sktext::gpu::GlyphVector::regenerateAtlasForGanesh() [../../third_party/skia/src/gpu/ganesh/text/GrAtlasManager.cpp:320:32]
#13 0x5ee6ad48060e skgpu::ganesh::AtlasTextOp::onPrepareDraws()::$_0::operator()() [../../third_party/skia/src/gpu/ganesh/ops/AtlasTextOp.cpp:532:28]
#14 0x5ee6ad4805ba std::__Cr::__invoke<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:90:27]
#15 0x5ee6ad48055d std::__Cr::__invoke_void_return_wrapper<>::__call<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:342:12]
#16 0x5ee6ad48050d std::__Cr::__invoke_r<>() [gen/third_party/libc++/src/include/__type_traits/invoke.h:356:10]
#17 0x5ee6ad4804a3 std::__Cr::__function::__policy_func<>::__call_func<>() [gen/third_party/libc++/src/include/__functional/function.h:443:12]
#18 0x5ee6ad5ddc1b std::__Cr::__function::__policy_func<>::operator()() [gen/third_party/libc++/src/include/__functional/function.h:502:12]
#19 0x5ee6ad5ddbbb std::__Cr::function<>::operator()() [gen/third_party/libc++/src/include/__functional/function.h:754:10]
#20 0x5ee6ad5d6c08 (anonymous namespace)::DirectMaskSubRun::regenerateAtlas() [../../third_party/skia/src/text/gpu/SubRunContainer.cpp:672:16]
#21 0x5ee6ad47f60d skgpu::ganesh::AtlasTextOp::onPrepareDraws() [../../third_party/skia/src/gpu/ganesh/ops/AtlasTextOp.cpp:538:50]
#22 0x5ee6ad4b6129 GrMeshDrawOp::onPrepare() [../../third_party/skia/src/gpu/ganesh/ops/GrMeshDrawOp.cpp:27:61]
#23 0x5ee6ad4b7234 GrOp::prepare() [../../third_party/skia/src/gpu/ganesh/ops/GrOp.cpp:59:11]
#24 0x5ee6ad4d43a3 skgpu::ganesh::OpsTask::onPrepare() [../../third_party/skia/src/gpu/ganesh/ops/OpsTask.cpp:548:27]
#25 0x5ee6ad37e5dd GrRenderTask::prepare() [../../third_party/skia/src/gpu/ganesh/GrRenderTask.cpp:111:11]
#26 0x5ee6ad320e43 GrDrawingManager::executeRenderTasks() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:266:21]
#27 0x5ee6ad31fca0 GrDrawingManager::flush() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:209:34]
#28 0x5ee6ad3217f7 GrDrawingManager::flushSurfaces() [../../third_party/skia/src/gpu/ganesh/GrDrawingManager.cpp:540:27]
#29 0x5ee6ad31c252 GrDirectContextPriv::flushSurfaces() [../../third_party/skia/src/gpu/ganesh/GrDirectContextPriv.cpp:92:47]
#30 0x5ee6ad2da828 GrDirectContextPriv::flushSurface() [../../third_party/skia/src/gpu/ganesh/GrDirectContextPriv.h:106:22]
#31 0x5ee6ad2d5d2b GrDirectContext::flush() [../../third_party/skia/src/gpu/ganesh/GrDirectContext.cpp:520:25]
#32 0x5ee6ad52d6be skgpu::ganesh::Flush() [../../third_party/skia/src/gpu/ganesh/surface/SkSurface_Ganesh.cpp:759:45]
#33 0x5ee6b2de1d86 gpu::SharedContextState::FlushWriteAccess() [../../gpu/command_buffer/service/shared_context_state.cc:899:9]
#34 0x5ee6b2fc974d gpu::raster::RasterDecoderImpl::DoEndRasterCHROMIUM() [../../gpu/command_buffer/service/raster_decoder.cc:3108:30]
#35 0x5ee6b2fc720c gpu::raster::RasterDecoderImpl::HandleEndRasterCHROMIUM() [../../gpu/command_buffer/service/raster_decoder_autogen.h:151:3]
#36 0x5ee6b2fdbda0 gpu::raster::RasterDecoderImpl::DoCommandsImpl<>() [../../gpu/command_buffer/service/raster_decoder.cc:1535:18]
#37 0x5ee6b2fcb03e gpu::raster::RasterDecoderImpl::DoCommands() [../../gpu/command_buffer/service/raster_decoder.cc:1597:12]
#38 0x5ee69ff67c00 gpu::CommandBufferService::Flush() [../../gpu/command_buffer/service/command_buffer_service.cc:267:35]
#39 0x5ee6b294071f gpu::CommandBufferStub::OnAsyncFlush() [../../gpu/ipc/service/command_buffer_stub.cc:504:22]
#40 0x5ee6b29401ed gpu::CommandBufferStub::ExecuteDeferredRequest() [../../gpu/ipc/service/command_buffer_stub.cc:173:7]
#41 0x5ee6b295fe51 gpu::GpuChannel::ExecuteDeferredRequest() [../../gpu/ipc/service/gpu_channel.cc:833:13]
#42 0x5ee6b296c5a0 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:740:12]
#43 0x5ee6b296c4cf base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:956:5]
#44 0x5ee6b296c425 base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14]
#45 0x5ee6b296c361 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12]
#46 0x5ee69ffa4e24 base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12]
#47 0x5ee69ffa4cb5 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:815:49]
#48 0x5ee69ffa4c4f base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:932:12]
#49 0x5ee69ffa4bfd base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14]
#50 0x5ee69ffa4b99 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12]
#51 0x5ee695d021ec base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12]
#52 0x5ee69ff767e0 gpu::Scheduler::ExecuteSequence() [../../gpu/command_buffer/service/scheduler.cc:707:29]
#53 0x5ee69ff7540b gpu::Scheduler::RunNextTask() [../../gpu/command_buffer/service/scheduler.cc:625:3]
#54 0x5ee69ff7b253 base::internal::DecayedFunctorTraits<>::Invoke<>() [../../base/functional/bind_internal.h:740:12]
#55 0x5ee69ff7b1d1 base::internal::InvokeHelper<>::MakeItSo<>() [../../base/functional/bind_internal.h:932:12]
#56 0x5ee69ff7b15d base::internal::Invoker<>::RunImpl<>() [../../base/functional/bind_internal.h:1069:14]
#57 0x5ee69ff7b0e9 base::internal::Invoker<>::RunOnce() [../../base/functional/bind_internal.h:982:12]
#58 0x5ee695d021ec base::OnceCallback<>::Run() [../../base/functional/callback.h:155:12]
#59 0x5ee6abab2eee base::TaskAnnotator::RunTaskImpl() [../../base/task/common/task_annotator.cc:229:34]
#60 0x5ee6abb214c8 base::TaskAnnotator::RunTask<>() [../../base/task/common/task_annotator.h:112:5]
#61 0x5ee6abb20f5e base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:472:23]
#62 0x5ee6abb205ca base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:346:40]
#63 0x5ee6abb21193 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork()
#64 0x5ee6ab98e268 base::MessagePumpDefault::Run() [../../base/message_loop/message_pump_default.cc:42:55]
#65 0x5ee6abb21b67 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run() [../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:647:12]
#66 0x5ee6aba4a7bb base::RunLoop::Run() [../../base/run_loop.cc:135:14]
#67 0x5ee6b4863046 content::GpuMain() [../../content/gpu/gpu_main.cc:479:14]
#68 0x5ee6a828dff7 content::RunZygote() [../../content/app/content_main_runner_impl.cc:664:14]
#69 0x5ee6a828e879 content::RunOtherNamedProcessTypeMain() [../../content/app/content_main_runner_impl.cc:771:12]
#70 0x5ee6a828fe8b content::ContentMainRunnerImpl::Run() [../../content/app/content_main_runner_impl.cc:1147:10]
#71 0x5ee6a828c1d7 content::RunContentProcess() [../../content/app/content_main.cc:358:36]
#72 0x5ee6a828c6e6 content::ContentMain() [../../content/app/content_main.cc:371:10]
#73 0x5ee69540c460 ChromeMain [../../chrome/app/chrome_main.cc:191:12]
#74 0x5ee69540c112 main
#75 0x79f1d4a2a1ca (/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9)
#76 0x79f1d4a2a28b __libc_start_main
#77 0x5ee69540c02a _start
  r8: 000000000000005d  r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000246
 r12: 0000000000000006 r13: 0000000000000000 r14: 0000000000000016 r15: 000079f1d5aa2000
  di: 0000000000177a3a  si: 0000000000177a3a  bp: 00007ffc58951cb0  bx: 0000000000177a3a
  dx: 0000000000000006  ax: 0000000000000000  cx: 000079f1d4a9eb2c  sp: 00007ffc58951c70
  ip: 000079f1d4a9eb2c efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000

```

## Stable Version Approach
In the stable version of Chromium, directly applying patches may not be feasible or desirable.
Instead, you can rewrite the patch logic as hook functions to intercept and modify the relevant processing functions at runtime.