A critical zero-day vulnerability in Google Chrome's V8 JavaScript engine, tracked as CVE-2026-3910, has been actively exploited in the wild before its disclosure. The flaw, which carries a CVSS score of 8.8, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on March 13, 2026, underscoring its severity and the urgency for remediation.
The vulnerability arises from inappropriate implementation in the V8 engine, allowing remote attackers to execute arbitrary code within a sandbox environment via a specially crafted HTML page. This capability could enable attackers to compromise affected systems, potentially leading to further exploitation or data exfiltration.
CVE-2026-3910 is associated with CWE-94 and CWE-119, indicating issues related to code injection and buffer overflow, respectively. The exploitation of this vulnerability was confirmed to have occurred before its public disclosure, marking it as a zero-day with a TTE (Time to Exploit) of -0.9 days. This highlights the sophisticated nature of the threat actors involved, who managed to leverage the flaw before it was officially recognized and patched.
Google has since released a patch for the vulnerability in Chrome version 146.0.7680.75. Users and administrators are strongly advised to update their browsers immediately to mitigate the risk of exploitation. Given the high severity and active exploitation of this vulnerability, organizations should prioritize this update and monitor for any signs of compromise related to this flaw.
CSURFACE