CVE-2026-3910 is a vulnerability in Google Chrome's V8 JavaScript and WebAssembly engine that has been actively exploited in the wild
[3][8].
Here's a breakdown of what is known about its exploitation:
- Internet-facing applications or services: While the vulnerability exists within the Chrome browser, which is used for accessing internet-facing applications and services, the vulnerability itself is not directly in a server-side internet-facing application. Instead, it allows for arbitrary code execution within the browser's sandbox when a user visits a crafted HTML page [1][2].
- Evidence of active exploitation in the wild: Yes, there is confirmed evidence that CVE-2026-3910 has been actively exploited in the wild [3][8]. Google has released emergency security updates to address this zero-day vulnerability [8][9].
- Attack vectors and exploitation methods: The vulnerability is an "inappropriate implementation" in the V8 engine [1][2]. Attackers can exploit this by creating a maliciously crafted HTML page [1][2]. When a user visits this page, the vulnerability can allow a remote attacker to execute arbitrary code inside the browser's sandbox [1][2]. This type of vulnerability in the V8 engine is often targeted for sandbox escape attacks [1].
- Use in targeted attacks: While the sources confirm active exploitation, they do not specifically state whether CVE-2026-3910 has been used in targeted attacks. However, it is noted that Chrome bugs found by Google are often targeted by commercial spyware vendors [1].
- CISA Known Exploited Vulnerabilities (KEV) status: CVE-2026-3910 has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog [5]. This addition signifies that the vulnerability has been exploited in the wild and poses a significant risk [5][7].
- Technical details about internet exploitability: The vulnerability has a CVSS v3.1 base score of 8.8 (High) with an attack vector of "Network" and requires "User Interaction" (specifically, the user must visit a malicious web page) [2][4]. The exploit allows for remote code execution within the browser's sandbox [1][2]. The V8 engine is a frequent target for attackers because JavaScript is continuously executed during web browsing, offering numerous exploitation opportunities [6].
-
Chrome 146 Update Patches Two Exploited Zero-Days
CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine that could allow attackers to craft malicious HTML pages and execute arbitrary code. V8 flaws are often targeted in sandbox escape attacks. Google has not provided details on the exploitation of these vulnerabiliti…
-
Vulnerability — Latest News, Reports &
CVE-2026-3910 (CVSS score: 8.8) - An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. ... Google is aware that exploits for both CVE-2026-3909 an... ... The vulnera…
-
CVE-2026-3910: Chrome V8 Zero-Day Used for In-the-Wild Attacks
Earlier this year, Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026. Now, another emergency update has been released, fixing two more flaws already exploited in the wild, CVE-2026-3910 in Chrome’s V8 JavaScript and WebAssembly engine and CVE-2026-3909, an out-of-bou…
-
CVE-2026-3910 - Vulnerability Details - OpenCVE
cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH",…
-
CISA KEV Adds Critical Skia and Chromium V8 Flaws (CVE-2026-3909, CVE ...
CISA’s addition of two browser-related flaws to the Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 — tracked as CVE‑2026‑3909 (an out‑of‑bounds write in Skia) and CVE‑2026‑3910 (an unspecified but actively exploited flaw in Chromium’s V8 engine) — is a blunt operational signal: thes…