CVE-2026-3910

CVSS 8.8 HIGHEPSS 2.0%● KEVCWE-119

Vexday Risk Score

51Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 2.0%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Mar 2026Published on NVD

13 Mar 2026Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Chrome's V8 JavaScript engine allowed attackers to run malicious code within the browser sandbox by tricking users into visiting a specially crafted webpage. This bypasses Chrome's security protections designed to prevent harmful programs from accessing your system.

Technical detail

CWE-119 buffer overflow vulnerability in V8 engine enables remote code execution within the sandbox environment. Attack vector requires user interaction (visiting a malicious webpage); impact includes arbitrary code execution with sandbox privileges, potentially leading to further system compromise through sandbox escape techniques.

Summary generated and translated by AI from the official description.

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/491410818 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3910