Actively Exploited Browser Sandbox Escape in Microsoft Edge and Related Chromium Update
Microsoft Edge users were urged to update Stable Channel installations to version 146.0.3856.59 or later after CVE-2026-3910 was disclosed as having an available exploit and being actively exploited in the wild. Advisory details indicate the flaw can allow arbitrary code execution inside a sandbox through a crafted HTML page, and additional Edge vulnerabilities may also enable spoofing, remote code execution, and security restriction bypass. HKCERT rated the Edge issue as Extremely High Risk, underscoring the urgency of patching.
A separate advisory for Google Chrome addressed CVE-2026-3909 in Chrome versions prior to 146.0.7680.80, and CISA added that Chrome flaw to the Known Exploited Vulnerabilities catalog. Although both browser advisories were published the same day and concern actively exploited Chromium-based browser vulnerabilities, the Chrome item concerns a different CVE and a different vendor advisory and should be treated as a separate incident from the Edge-specific CVE-2026-3910 disclosure.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Google Chrome Zero-Day CVE-2026-2441 Exploited in the Wild
Google released an urgent *Chrome for Desktop* Stable Channel update to address **CVE-2026-2441**, a high-severity zero-day that Google said has an exploit **active in the wild**. The issue is a **use-after-free in Chrome’s CSS component**, a memory-corruption flaw that can enable code execution in the browser context when a user visits a malicious or compromised webpage; the vulnerability was reported to Google by researcher **Shaheen Fazim**. The Canadian Centre for Cyber Security echoed the need to patch Chrome, advising organizations to update beyond affected Stable Channel versions (Windows/Mac prior to `145.0.7632.68` and Linux prior to `144.0.7559.67`), while third-party reporting indicated patched Stable builds rolling out to `145.0.7632.75/.76` (Windows/Mac) and `144.0.7559.75` (Linux). Other Canadian Centre advisories published in the same period covered unrelated vendor patches for **Tenable Nessus Agent** (CVE-2026-2026), **Juniper Secure Analytics (JSA)**, **HPE SimpliVity** (Intel firmware advisories), and **PostgreSQL** point releases; these are separate remediation items and not part of the Chrome zero-day event.
4 weeks ago
Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two **high-severity zero-day vulnerabilities**, `CVE-2026-3909` and `CVE-2026-3910`, that are being **exploited in the wild**. Advisory reporting says the flaws can enable **data manipulation** and **security restriction bypass**, prompting a **high-risk** assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes. Technical reporting identifies `CVE-2026-3909` as an **out-of-bounds write** in **Skia**, Chrome’s graphics library, and `CVE-2026-3910` as an **inappropriate implementation** issue in the **V8 JavaScript and WebAssembly engine**. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for **Windows `146.0.7680.75`**, **macOS `146.0.7680.76`**, and **Linux `146.0.7680.75`**. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
3 days agoChrome Zero-Day Vulnerability CVE-2025-13223 Exploited in the Wild
Google has released an emergency security update to address CVE-2025-13223, a critical zero-day vulnerability in the V8 JavaScript engine used by Chrome and Chromium-based browsers. This type confusion flaw, discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), allows attackers to achieve heap corruption and potentially execute arbitrary code simply by luring users to maliciously crafted websites. The vulnerability has been actively exploited in the wild, with Google confirming that threat actors are weaponizing it to bypass browser sandbox protections, steal credentials, escalate privileges, and deploy malware. The fix is included in Chrome version 142.0.7444.175/.176 for Windows, Mac, and Linux, and users are strongly urged to update and restart their browsers immediately to mitigate risk. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are also rolling out patches. The involvement of Google TAG suggests possible links to advanced persistent threats, highlighting the urgency for both individuals and enterprises to apply updates and monitor for suspicious activity.
3 months ago