CVE-2026-3910: Google Chrome V8 RCE Vulnerability

CVE-2026-3910 Overview

CVE-2026-3910 is a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome versions prior to 146.0.7680.75. The flaw stems from an inappropriate implementation in V8 that allows a remote attacker to execute arbitrary code inside the Chrome sandbox through a crafted HTML page. The Chromium project rated this issue High severity, and CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog. Affected platforms include Chrome on Windows, macOS, and Linux. The vulnerability maps to CWE-94 (Improper Control of Generation of Code) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact
Remote attackers can execute arbitrary code inside the Chrome sandbox by luring victims to a crafted HTML page, with active exploitation confirmed by CISA KEV listing.

Affected Products

Google Chrome prior to 146.0.7680.75
Microsoft Windows hosts running affected Chrome builds
Apple macOS and Linux hosts running affected Chrome builds

Discovery Timeline

2026-03-13 - CVE-2026-3910 published to the National Vulnerability Database
2026-03-13 - Last updated in NVD database

Technical Details for CVE-2026-3910

Vulnerability Analysis

The vulnerability resides in V8, the open-source JavaScript and WebAssembly engine that powers Chrome and Chromium-derived browsers. V8 compiles JavaScript to native machine code through its TurboFan and Maglev optimizing compilers. An inappropriate implementation in this engine permits a crafted HTML page to drive V8 into a state where attacker-supplied JavaScript can execute arbitrary code within the renderer process sandbox.

The issue is classified under CWE-94 for improper control of code generation and CWE-119 for improper memory boundary handling. This combination is consistent with V8 engine flaws where JIT-generated code violates expected type or memory constraints, enabling attacker-controlled reads, writes, or control flow.

Exploitation requires user interaction, specifically a victim browsing to or rendering a malicious page. Successful exploitation provides code execution inside the sandboxed renderer, which adversaries commonly chain with a sandbox escape to obtain code execution on the host.

Root Cause

The root cause is an inappropriate implementation in V8 that fails to enforce expected invariants when processing attacker-controlled JavaScript. Chromium issue 491410818 tracks the upstream fix. Public technical detail remains restricted while the patched build rolls out.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker hosts a crafted HTML page or injects malicious JavaScript through an advertising chain, a compromised site, or a phishing link. When a victim using a vulnerable Chrome build loads the page, V8 processes the malicious payload and grants the attacker arbitrary code execution within the renderer sandbox.

No verified public proof-of-concept code is available. See the Google Chrome Update Blog and the Chromium Issue Tracker entry for vendor details.

Detection Methods for CVE-2026-3910

Indicators of Compromise

Chrome renderer processes (chrome.exe --type=renderer on Windows, equivalent on macOS and Linux) spawning unexpected child processes such as cmd.exe, powershell.exe, bash, or osascript.
Outbound network connections from Chrome renderer processes to newly registered or low-reputation domains immediately after page load.
Unexpected file writes by Chrome renderer processes outside the standard browser cache and profile directories.

Detection Strategies

Hunt for browser exploitation chains by correlating renderer process activity with subsequent process creation and persistence events.
Inventory Chrome installations across the fleet and flag any build below 146.0.7680.75 as exposed.
Inspect web proxy and DNS telemetry for users visiting suspicious URLs delivered through phishing or malvertising campaigns referenced in CISA KEV reporting.

Monitoring Recommendations

Forward Chrome process telemetry, command-line arguments, and child-process relationships to a centralized analytics platform for behavioral analysis.
Track CISA KEV catalog updates for new exploitation reporting on CVE-2026-3910 and update detection content accordingly.
Alert on Chrome renderer processes performing actions associated with sandbox escape attempts, such as token manipulation or kernel object access on Windows.

How to Mitigate CVE-2026-3910

Immediate Actions Required

Update Google Chrome to version 146.0.7680.75 or later on all Windows, macOS, and Linux endpoints.
Force a browser restart after deployment so the patched binary loads, since Chrome only applies updates on relaunch.
Prioritize patching for users with broad web access, administrative privileges, or access to sensitive systems.

Patch Information

Google released the fix in the Stable channel update documented at the Google Chrome Update Blog. Apply Chrome 146.0.7680.75 or later. Organizations using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should monitor those vendors for downstream patches incorporating the same V8 fix.

Workarounds

Deploy enterprise policy to enforce automatic Chrome updates and prevent users from running stale versions.
Restrict browsing on high-value endpoints to a vetted allowlist of business-critical domains until patches are confirmed deployed.
Disable V8 JIT through the --js-flags="--jitless" runtime flag or the JavaScriptJitDisabled enterprise policy on sensitive endpoints, accepting the performance trade-off.

bash

# Verify deployed Chrome version on Linux/macOS endpoints
google-chrome --version

# Windows enterprise policy to disable V8 JIT (registry)
reg add "HKLM\Software\Policies\Google\Chrome" /v JavaScriptJitDisabled /t REG_DWORD /d 1 /f