HighCISA KEVExploited in the wildPublic exploit

RCE in Google Chrome V8 via crafted HTML page

IdentifiersCVE-2026-3910CWE-682

CVE-2026-3910 is a high-severity inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine in Google Chrome prior to 146.0.7680.75/.76. Public reporting states that a remote attacker can trigger the flaw by getting a target to load a crafted HTML page, leading to arbitrary code execution inside the Chrome renderer sandbox. Multiple cited reports describe the issue only at a high level as an implementation flaw in V8, and Google restricted technical details because exploitation was observed in the wild. One exploitability-assessment context in the provided content characterizes the underlying issue as write-barrier elision leading to a use-after-free, but that detail is not corroborated by an official vendor description in the supplied material.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution within Chrome's sandboxed renderer context. This can enable execution of attacker-controlled code in the browser process handling untrusted web content, potentially allowing theft of data accessible to that context, further in-browser compromise, and use as part of a multi-stage exploit chain. By itself, the described outcome is code execution inside the sandbox rather than a full sandbox escape or direct system compromise.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is expedited patching. Until updates are fully deployed, reduce exposure to untrusted web content, restrict access to potentially malicious or compromised sites, and consider temporary hardening measures for high-risk users such as limiting browser use for sensitive workflows and increasing monitoring for browser exploitation activity. Because Google withheld technical details and no specific IOCs are provided in the supplied content, there is no vulnerability-specific mitigation beyond patching and general browser attack-surface reduction.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 146.0.7680.75 or later on Windows and Linux, and 146.0.7680.76 or later on macOS, as referenced in the supplied reporting. Apply the corresponding security updates for other Chromium-based browsers when available. Restart the browser after updating to ensure the patched build is active.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

88 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

88 SOURCESView more in app

socprime blogNews

Jun 9, 2026

CVE-2026-11645: Chrome Zero-Day in V8

A previously exploited Chrome zero-day from 2026 referenced only as one of the earlier Chrome zero-days.

cyber security newsNews

Jun 9, 2026

Google Chrome 0-Day Vulnerability Exploited in the Wild - Update Now

An actively exploited Chrome zero-day in the V8 JavaScript/WebAssembly engine caused by inappropriate implementation.

the hacker newsNews

Jun 9, 2026

Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now

An actively exploited Chrome zero-day referenced as one of five addressed by Google in 2026; no further technical details are provided in the content.

security affairsNews

Jun 9, 2026

Google fixes fifth actively exploited Chrome zero-day of 2026

A Chrome zero-day affecting the implementation of the V8 JavaScript/WebAssembly engine, reported as exploited in the wild.

+23 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity55

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-3910

NVD

nvd.nist.gov/vuln/detail/CVE-2026-3910

MITRE CWE · CWE-682

cwe.mitre.org

Vendor Advisory

chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html

Permissions Required

issues.chromium.org/issues/491410818

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3910