AgenceEvana
Back to bulletins
High2026-03-12CVSS 8.8CVE-2026-3910 (2026-03-12)chromev8zero-dayrcebrowser

Google Chromium V8 Remote Code Execution (Zero-Day)

A zero-day vulnerability in Chrome's V8 JavaScript engine allows remote code execution when visiting a malicious web page. Actively exploited in the wild.

Context

Google's Threat Analysis Group (TAG) discovered an actively exploited zero-day in the V8 JavaScript engine on March 10, 2026. Referenced as CVE-2026-3910 (CISA KEV added March 13, 2026), the flaw affects all Chromium-based browsers — Chrome, Edge, Opera, Brave — as well as Node.js and other V8-dependent runtimes.

Vulnerability

The vulnerability is an inappropriate implementation in V8 (CWE-94: Code Injection, CWE-119: Improper Restriction of Operations within Memory Buffer Bounds). A remote attacker can craft a malicious HTML page that triggers improper memory operations in V8, enabling arbitrary code execution within the browser's sandbox.

The attack requires no authentication — only that the victim visits a compromised or attacker-controlled web page.

Exploit in the Wild

Google TAG confirmed that an exploit exists in the wild, indicating active exploitation — likely by state-sponsored or advanced threat actors given TAG's involvement. While the initial code execution is sandboxed, it can be chained with sandbox escape vulnerabilities for full system compromise.

Impact

  • High impact on confidentiality, integrity, and availability
  • Visiting a malicious or compromised website is sufficient to trigger the exploit
  • Chrome holds ~65% browser market share — attack surface is massive
  • All Chromium-based browsers are affected
  • CISA remediation deadline: March 27, 2026

Indicators of Compromise (IOCs)

No specific network IOCs (domains, IPs) have been publicly released by Google TAG at this time. Monitor for the following behavioral indicators:

  • Process anomalies: browser renderer process spawning command shells, scripting hosts, or unusual OS utilities
  • Network anomalies: renderer processes with persistent outbound connections after crash/restart sequences
  • Content indicators: fetches of unusual URLs hosting obfuscated JavaScript or non-standard SVG payloads immediately before suspicious behavior
  • Post-exploitation: callbacks to low-reputation endpoints or sudden data exfiltration attempts
  • Crash patterns: repeated browser crashes localized to the same V8 memory region

Remediation

  1. Update Chrome to version 146.0.7680.75 (Linux) or 146.0.7680.75/76 (Windows/Mac) or later.
  2. Update all Chromium-based browsers (Edge, Opera, Brave) to their corresponding patched versions.
  3. Enforce automatic browser updates across the organization.
  4. Consider browser isolation technologies for high-risk users.