CVE-2026-3910 is a Chrome V8 engine vulnerability that allows remote code execution via malicious HTML pages. While actively exploited, this requires user interaction and targets client browsers, not internet-facing servers.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: USER_INTERACTION
CVE Published: 2026-03-12
Added to CISA KEV: 2026-03-13 1 DAY BETWEEN CVE AND KEV
CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine that could allow attackers to craft malicious HTML pages and execute arbitrary code. V8 flaws are often targeted in sandbox escape attacks. Google has not provided details on the exploitation of these vulnerabilities, but Chrome bugs found by Google are often targeted by commercial spyware vendors.
CVE-2026-3910 (CVSS score: 8.8) - An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. ... Google is aware that exploits for both CVE-2026-3909 an... ... The vulnerabilities are listed below - CVE-2026-27577 ( CVSS score: 9.4) - Expression sandbox escape leading to remote code execution (RCE) CVE-2026-27493 (CVSS score: 9.5) - Unauthenticated expression ...
Earlier this year, Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026. Now, another emergency update has been released, fixing two more flaws already exploited in the wild, CVE-2026-3910 in Chrome’s V8 JavaScript and WebAssembly engine and CVE-2026-3909, an out-of-bounds write bug in Skia.Google has confirmed that CVE-2026-3910 is being exploited in the wild, but has not published technical details about the exploitation chain.
cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T22:07:27.730653Z", "id": "CVE-2026-3910", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"...
CISA’s addition of two browser-related flaws to the Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 — tracked as CVE‑2026‑3909 (an out‑of‑bounds write in Skia) and CVE‑2026‑3910 (an unspecified but actively exploited flaw in Chromium’s V8 engine) — is a blunt operational signal: these are not academic bugs ...