cbcvebase.
CVE-2026-3910
published 2026-03-13

CVE-2026-3910: Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted…

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-27
Exploited in the wild
EPSS
2.00%
78.3th percentile
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 146.0.7680.80-1~deb12u1146.0.7680.80-1~deb12u1
chromiumchromium>= 0 < 146.0.7680.80-1~deb13u1146.0.7680.80-1~deb13u1
chromiumchromium>= 0 < 146.0.7680.80-1146.0.7680.80-1
debianchromium< chromium 146.0.7680.80-1~deb12u1 (bookworm)chromium 146.0.7680.80-1~deb12u1 (bookworm)
googlechrome< 146.0.7680.75146.0.7680.75
googlechrome>= 146.0.7680.75 < 146.0.7680.75146.0.7680.75
googlechrome_chrome
msrcmicrosoft_edge
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, exploitable via a crafted HTML page to execute arbitrary code inside a sandbox. Detect exploitation attempts by monitoring for anomalous V8 engine behavior triggered by untrusted HTML pages in Chrome versions prior to 146.0.7680.75.
  • CVE-2026-3910 is actively exploited in the wild (CISA KEV listed). Prioritize detection and patching for Chrome versions prior to 146.0.7680.75 (Windows/Linux) and 146.0.7680.76 (macOS).
  • The vulnerability is triggered via a crafted HTML page. Network-level detection should focus on delivery of malicious HTML content targeting Chrome/Chromium-based browsers running V8 engine versions prior to the fix.
  • CVE-2026-3910 was patched alongside CVE-2026-3909 (out-of-bounds write in Skia). Endpoint detection should check for Chrome/ChromeOS versions below 146.0.7680.75 on Windows/Linux and 146.0.7680.76 on macOS as vulnerable targets.
  • ·The ChromeOS LTC channel fix for CVE-2026-3910 was released separately from the desktop Stable channel update; ChromeOS devices on LTC channel should be verified for update status independently.
  • ·The out-of-band update may take days or weeks to reach all users via automatic update; manual update verification is recommended for timely remediation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.