⚠️ WARNING – FOR EDUCATIONAL AND SECURITY RESEARCH ONLY
This page contains a proof-of-concept (PoC) for CVE-2026-3909, an out-of-bounds write vulnerability in Google Chrome's Skia graphics library (versions prior to 146.0.7680.75) and other Chromium‑based browsers.
Do not run this on production systems. Use only in a controlled, isolated environment with a vulnerable browser.
The PoC attempts to trigger memory corruption, which may cause a browser crash or unexpected behavior.
ℹ️ Expected behavior if vulnerable:
The browser may crash (tab crash, "Aw, Snap!"), exhibit memory corruption, or become unresponsive.
➕ Added simulation:
Auto‑download of a harmless test.txt file (simulates payload delivery).
Auto‑run simulation: The file is opened in a new tab – this is the closest browsers allow, as direct execution of downloaded files is blocked for security. In a real exploit, the shellcode would execute the file after compromising the renderer.
This page uses a combination of canvas 2D operations and SVG filters to stress Skia's memory handling.
The code executes automatically when the page loads. A harmless text file is downloaded and opened in a new tab; after a 2‑second delay, the crash PoC runs.
This PoC is based on educated guesses about the vulnerability's nature. It does not include specific exploit code and is intended solely for security education and testing within controlled environments.
Disclaimer: The author assumes no liability for any misuse or damage caused by this code.