Chrome V8 Remote Code Exec via HTML (pre 146.0.7680.75)
CVE-2026-3910 Published on March 12, 2026
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Known Exploited Vulnerability
This Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerabi vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
The following remediation steps are recommended / required by March 27, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2026-3910 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Buffer Overflow Vulnerability?
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CVE-2026-3910 has been classified to as a Buffer Overflow vulnerability or weakness.
Products Associated with CVE-2026-3910
Want to know whenever a new CVE is published for Google Chrome? stack.watch will email you.
Affected Versions
Google Chrome:- Version 146.0.7680.75 and below 146.0.7680.75 is affected.