CVE-2026-3910
published 2026-03-13CVE-2026-3910: Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted…
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-27
Exploited in the wild
EPSS
2.00%
78.3th percentile
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 146.0.7680.80-1~deb12u1 | 146.0.7680.80-1~deb12u1 |
| chromium | chromium | >= 0 < 146.0.7680.80-1~deb13u1 | 146.0.7680.80-1~deb13u1 |
| chromium | chromium | >= 0 < 146.0.7680.80-1 | 146.0.7680.80-1 |
| debian | chromium | < chromium 146.0.7680.80-1~deb12u1 (bookworm) | chromium 146.0.7680.80-1~deb12u1 (bookworm) |
| chrome | < 146.0.7680.75 | 146.0.7680.75 | |
| chrome | >= 146.0.7680.75 < 146.0.7680.75 | 146.0.7680.75 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, exploitable via a crafted HTML page to execute arbitrary code inside a sandbox. Detect exploitation attempts by monitoring for anomalous V8 engine behavior triggered by untrusted HTML pages in Chrome versions prior to 146.0.7680.75. ↗
- →CVE-2026-3910 is actively exploited in the wild (CISA KEV listed). Prioritize detection and patching for Chrome versions prior to 146.0.7680.75 (Windows/Linux) and 146.0.7680.76 (macOS). ↗
- →The vulnerability is triggered via a crafted HTML page. Network-level detection should focus on delivery of malicious HTML content targeting Chrome/Chromium-based browsers running V8 engine versions prior to the fix. ↗
- →CVE-2026-3910 was patched alongside CVE-2026-3909 (out-of-bounds write in Skia). Endpoint detection should check for Chrome/ChromeOS versions below 146.0.7680.75 on Windows/Linux and 146.0.7680.76 on macOS as vulnerable targets. ↗
- ·The ChromeOS LTC channel fix for CVE-2026-3910 was released separately from the desktop Stable channel update; ChromeOS devices on LTC channel should be verified for update status independently. ↗
- ·The out-of-band update may take days or weeks to reach all users via automatic update; manual update verification is recommended for timely remediation. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
vendor_paloalto·2026-04-08·CVSS 8.8
[HIGH] PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html CVE Summary CVE-2026-2648 Heap buffer overflow in PDFium CVE-2026-2649 Integer overflow in V8 CVE-2026-2650 Heap
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2026-3909
vendor_chrome·2026-03-16·CVSS 8.8
CVE-2026-3909 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2026-3909
Long Term Support Channel Update for ChromeOS
CVE-2026-3909: Out of bounds write in Skia. [ 491410818 ] High CVE-2026-3910: Inappropriate implementation in V8 If you have devices in the LTC channel, they will be updated to this version
Severity: high
CISA
Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
cisa·2026-03-13·CVSS 8.8
CVE-2026-3910 [HIGH] CWE-119 Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
Vulnerability: Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
Affected: Google Chromium V8
Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
Red Hat
chromium-browser: Inappropriate implementation in V8
vendor_redhat·2026-03-12·CVSS 8.8
CVE-2026-3910 [HIGH] chromium-browser: Inappropriate implementation in V8
chromium-browser: Inappropriate implementation in V8
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
An inappropriate implementation flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=491410818
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Chrome
Stable Channel Update for Desktop: CVE-2026-3910
vendor_chrome·2026-03-12·CVSS 8.8
CVE-2026-3910 [HIGH] Stable Channel Update for Desktop: CVE-2026-3910
Stable Channel Update for Desktop
CVE-2026-3910: Inappropriate implementation in V8. Reported by Google Threat Analysis Group on 2026-03-10 Google is aware that an exploit for CVE-2026-3910 exists in the wild
Severity: high
Microsoft
Chromium: CVE-2026-3910 Inappropriate implementation in V8
vendor_msrc·2026-03-10·CVSS 8.8
CVE-2026-3910 [HIGH] Chromium: CVE-2026-3910 Inappropriate implementation in V8
Chromium: CVE-2026-3910 Inappropriate implementation in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2026-3910 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
146.0.3856.59
03/13/2026
146.0.7680.76
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-
Debian
CVE-2026-3910: chromium - Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allow...
vendor_debian·2026·CVSS 8.8
CVE-2026-3910 [HIGH] CVE-2026-3910: chromium - Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allow...
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 146.0.7680.80-1~deb12u1)
bullseye: open
forky: resolved (fixed in 146.0.7680.80-1)
sid: resolved (fixed in 146.0.7680.80-1)
trixie: resolved (fixed in 146.0.7680.80-1~deb13u1)
OSV
CVE-2026-3910: Inappropriate implementation in V8 in Google Chrome prior to 146
osv·2026-03-13·CVSS 8.8
CVE-2026-3910 [HIGH] CVE-2026-3910: Inappropriate implementation in V8 in Google Chrome prior to 146
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
GHSA
GHSA-69wh-543j-25h6: Inappropriate implementation in V8 in Google Chrome prior to 146
ghsa_unreviewed·2026-03-13
CVE-2026-3910 [HIGH] CWE-119 GHSA-69wh-543j-25h6: Inappropriate implementation in V8 in Google Chrome prior to 146
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
vulncheck·2026·CVSS 8.8
CVE-2026-3910 [HIGH] CWE-119 Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.h
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Bleepingcomputer
Google patches new Chrome zero-day flaw exploited in the wild
blogs_bleepingcomputer·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google patches new Chrome zero-day flaw exploited in the wild
## Google patches new Chrome zero-day flaw exploited in the wild
## Sergiu Gatlan
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing s
Hackernews
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Datab
Bleepingcomputer
Google fixes fourth Chrome zero-day exploited in attacks in 2026
blogs_bleepingcomputer·2026-04-01·CVSS 8.8
[HIGH] Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Sergiu Gatlan
Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior.
While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company noted.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux
Hackernews
New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
blogs_hackernews·2026-04-01·CVSS 8.8
CVE-2026-5281 [HIGH] New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn , an open-source and cross-platform implementation of the WebGPU standard.
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a de
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Bleepingcomputer
Google fixes two new Chrome zero-days exploited in attacks
blogs_bleepingcomputer·2026-03-13·CVSS 8.8
CVE-2026-3910 [HIGH] Google fixes two new Chrome zero-days exploited in attacks
## Google fixes two new Chrome zero-days exploited in attacks
## Sergiu Gatlan
The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today.
If you don't want to update your web browser manually, you can also have it check for updates automatically and install them at the next launch.
Although Google fo
Wiz
CVE-2026-3910 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-3910 [HIGH] CVE-2026-3910 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3910 :
vulnerability analysis and mitigation
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Source : NVD
## 8.8
Score
Published March 13, 2026
Severity HIGH
CNA Score 8.8
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 73.9
Exploitation Probability (EPSS) 0.8
Affected packages and libraries
chromium-qt6-ui
chromium-qt6-ui-debuginfo
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at: Mar 17, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 13, 2026
Debian 12, 13, 14 Severity HIGH Has Fix Added at: Mar 13,
2026-03-13
Published
2026-03-13
Added to CISA KEV
Exploited in the wild