CVE-2026-3910: Chrome V8 Zero-Day Used for In-the-Wild Attacks

Chrome zero-days continue to pose a major risk for cyber defenders. Earlier this year, Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026. Now, another emergency update has been released, fixing two more flaws already exploited in the wild, CVE-2026-3910 in Chrome’s V8 JavaScript and WebAssembly engine and CVE-2026-3909, an out-of-bounds write bug in Skia.

Google describes CVE-2026-3910 as an inappropriate implementation issue in Chrome V8. In essence, a crafted HTML page may allow a remote attacker to execute arbitrary code inside the browser sandbox. 

The latest Chrome emergency patch lands against an increasing zero-day threat. Google Threat Intelligence Group tracked 90 zero-days exploited in the wild in 2025, up from 78 in 2024, and found that enterprise technologies accounted for 43 cases, or a record 48% of observed exploitation.

Register for SOC Prime’s AI-Native Detection Intelligence Platform, backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.

Explore Detections

Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2026-3910 Analysis 

According to Google’s security advisory, CVE-2026-3910 is a high-severity vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome. It can be triggered through a crafted HTML page and may allow arbitrary code execution inside the browser sandbox. Because V8 processes active content during normal browsing, exploitation can begin with something as simple as visiting a malicious or compromised website.

The risk is substantial because Chrome is deeply embedded in daily enterprise work. An actively exploited V8 flaw can turn ordinary browsing into a path for credential theft, malicious code delivery, or broader compromise, especially when combined with other bugs or phishing.

Google has confirmed that CVE-2026-3910 is being exploited in the wild, but has not published technical details about the exploitation chain. 

The same Chrome update also fixed CVE-2026-3909, a high-severity out-of-bounds write vulnerability in the Skia graphics library. Google says the flaw is also being exploited in the wild. Because it affects another core browser component and was fixed in the same emergency release, organizations should apply the full update without delay rather than focus on CVE-2026-3910 alone.

CVE-2026-3910 Mitigation

The recommended mitigation is to update Chrome immediately to the latest patched Stable Channel build. Google says the fixed desktop versions are 146.0.7680.75 and 146.0.7680.76 for Windows and macOS and 146.0.7680.75 for Linux. Because Google has confirmed in-the-wild exploitation, organizations should prioritize the update across employee endpoints, administrator workstations, and shared systems used for browsing.

Organizations using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also monitor for corresponding vendor patches, since those products may inherit exposure from the same underlying codebase. 

Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.