CVE-2026-3910

Google Chromium V8 — Arbitrary Code Execution via Inappropriate Implementation
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 with a remediation deadline of March 27, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-3910 is a vulnerability in V8, the JavaScript and WebAssembly engine used by Google Chrome and all Chromium-based browsers. An inappropriate implementation in V8 allows a remote attacker to execute arbitrary code inside a sandbox by luring a victim to a crafted HTML page. Chromium rates this vulnerability as High severity.

This CVE was added to the CISA KEV catalog on the same day as CVE-2026-3909 (Skia out-of-bounds write), both fixed in Chrome 146.0.7680.75. The simultaneous KEV listing of a V8 code execution flaw alongside a Skia memory corruption bug suggests these may have been observed in a chained exploit — using the V8 bug for initial code execution within the sandbox, and the Skia bug for sandbox escape or additional memory corruption.

V8 Engine & Exploitation Context

V8 is Google's open-source JavaScript and WebAssembly engine, written in C++ and used in Chrome, Node.js, Deno, and all Chromium-based browsers. V8 vulnerabilities are among the most dangerous browser flaws because they can be triggered simply by processing JavaScript on a web page — making them prime targets for:

  • Zero-day exploit chains — V8 bugs are frequently used as the initial code execution primitive, combined with sandbox escape exploits for full system compromise
  • Commercial spyware — vendors like NSO Group, Intellexa, and Candiru have historically leveraged V8 vulnerabilities in their exploit chains targeting journalists, activists, and government officials
  • State-sponsored campaigns — nation-state actors regularly target V8 for watering hole attacks and targeted phishing
  • Drive-by downloads — malvertising networks exploit V8 bugs to execute code when victims simply visit a compromised or malicious website
CISA's KEV description explicitly states this vulnerability "could affect multiple web browsers that utilize Chromium" — confirming the broad impact beyond Google Chrome alone.

Paired KEV Entry with CVE-2026-3909

CVEComponentTypeRole in Chain
CVE-2026-3910 V8 (JavaScript engine) Code Execution (in sandbox) Initial code execution — attacker gains control inside renderer sandbox
CVE-2026-3909 Skia (graphics library) Out-of-bounds Write Memory corruption — may enable sandbox escape or additional capabilities

Vulnerability Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

The "inappropriate implementation" classification in Chromium's vulnerability taxonomy indicates a logical flaw in V8's code — distinct from typical memory corruption bugs. This could involve incorrect handling of JavaScript or WebAssembly type transitions, JIT compiler optimizations that produce incorrect machine code, or improper bounds checking during runtime operations.

The vulnerability enables arbitrary code execution within Chrome's renderer sandbox. While the sandbox limits the attacker's initial access, the code execution capability is a critical first step in browser exploitation:

  • Read/write sensitive renderer memory — access cookies, session tokens, form data, and DOM content from all tabs in the same process
  • Stage sandbox escape — use the foothold to exploit additional vulnerabilities (e.g., IPC bugs, kernel bugs, or companion vulnerabilities like CVE-2026-3909)
  • Exfiltrate data — steal information from the current browsing context before the user navigates away
  • Inject content — modify rendered pages to phish credentials or redirect payments

Affected Products & Versions

Google Chrome

PlatformVulnerable VersionsFixed Version
WindowsAll versions before 146.0.7680.75146.0.7680.75
macOSAll versions before 146.0.7680.75146.0.7680.75
LinuxAll versions before 146.0.7680.75146.0.7680.75

Other Affected Products

V8 is the JavaScript engine for all Chromium-based browsers and runtimes. The following products embed V8 and are independently affected:

Microsoft Edge Brave Opera Vivaldi Samsung Internet Electron Apps Node.js Deno
Note: While Node.js and Deno use V8, exploitation in those contexts requires the attacker to supply malicious JavaScript to the runtime — a different threat model than browser-based exploitation. Chromium-based browsers and Electron applications are the primary concern for this CVE.

Impact

Impact AreaDetail
ConfidentialityHigh — Attacker can read renderer process memory (cookies, tokens, DOM data)
IntegrityHigh — Arbitrary code execution enables modification of rendered content and data
AvailabilityHigh — Can crash or destabilize the browser renderer process
Attack VectorNetwork — victim must visit a crafted web page
Privileges RequiredNone — any attacker can host a malicious page
User InteractionRequired — victim must navigate to the attacker's page
Sandbox NoteCode executes within Chrome's renderer sandbox — full system compromise requires a sandbox escape chain

Remediation

Immediate Actions

  1. Update Google Chrome to version 146.0.7680.75 or later on all platforms
  2. Update all Chromium-based browsers — Microsoft Edge, Brave, Opera, and Vivaldi will release corresponding patches
  3. Update Electron-based applications — VS Code, Slack, Discord, Teams, and other Electron apps bundle their own Chromium/V8
  4. Verify auto-update — navigate to chrome://settings/help and confirm Chrome is current
  5. Restart the browser — Chrome updates require a restart to take effect; pending updates leave the system vulnerable

Mitigations (if patching is delayed)

  • Chrome's Site Isolation (enabled by default) limits cross-origin data access even with renderer compromise
  • Use browser policies to restrict navigation to untrusted or unknown sites
  • Deploy web content filtering to block known malicious domains and URLs
  • Consider enabling V8 mitigations via Chrome flags where available for high-risk environments

Related Vulnerabilities

CVE-2026-3909 — Google Skia Out-of-Bounds Write. Fixed in the same Chrome update and added to CISA KEV on the same day. The Skia OOB write and V8 code execution may have been used together in a chained exploit in the wild.

Key Details

PropertyValue
CVE ID CVE-2026-3910
Vendor / Product Google — Chromium V8
NVD Published2026-03-13
NVD Last Modified2026-03-13
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-94
CISA KEV Added2026-03-13
CISA KEV Deadline2026-03-27
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-03-27. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2026-03-12Chrome stable channel update 146.0.7680.75 released with fix for CVE-2026-3910
2026-03-13CVE-2026-3910 published on NVD
2026-03-13Added to CISA Known Exploited Vulnerabilities catalog — confirms active exploitation
2026-03-27CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-3910 Vulnerability Database
CISA KEV Catalog Entry US Government
Chrome Releases Blog — Stable Channel Update (March 12, 2026) Vendor Advisory
Chromium Bug Tracker — Issue 491410818 (restricted) Vendor Advisory

Last updated: 2026-04-06

Gavin Hollinger & AI assembled this air-gap friendly HTML