The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Google vulnerabilities to its Known Exploited Vulnerabilities Catalog following evidence of active exploitation in the wild: CVE-2026-3909 (Google Skia out-of-bounds write) and CVE-2026-3910 (Google Chromium V8 flaw). Federal agencies are required to patch these vulnerabilities by a mandatory deadline under Binding Operational Directive 22-01, and CISA urges all organizations to prioritize remediation as part of standard vulnerability management.