CVE-2026-3910: CVE-2026-3910: Type Confusion in V8 Maglev Compiler Leading to Remote Code Execution

CVE-2026-3910: Type Confusion in V8 Maglev Compiler Leading to Remote Code Execution

Vulnerability ID: CVE-2026-3910
CVSS Score: 8.8
Published: 2026-03-12

CVE-2026-3910 is a high-severity vulnerability in the Google Chrome V8 JavaScript engine. An inappropriate implementation in the Maglev compiler's Phi untagging pass allows a remote attacker to achieve arbitrary code execution within the browser sandbox. Google Threat Analysis Group (TAG) confirmed this zero-day vulnerability was exploited in the wild prior to the patch release in Chrome version 146.0.7680.75.

TL;DR

A zero-day vulnerability in Chrome's V8 Maglev compiler (Phi untagging pass) allows remote code execution inside the browser sandbox. The flaw is actively exploited and requires immediate patching to version 146.0.7680.75.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-119
• Attack Vector: Network
• CVSS Score: 8.8
• EPSS Score: 0.21893 (95.67%)
• Impact: Remote Code Execution (Sandbox)
• Exploit Status: Active / In-the-wild
• CISA KEV: Listed (Due: 2026-03-27)

Affected Systems

• Google Chrome (Desktop & Mobile)
• Microsoft Edge
• Brave Browser
• Opera Browser
• V8 JavaScript Engine
• Google Chrome: < 146.0.7680.75 (Fixed in: 146.0.7680.75)

Exploit Details

• Google Threat Analysis Group: In-the-wild zero-day exploitation confirmed by Google TAG.

Mitigation Strategies

• Update Google Chrome to version 146.0.7680.75 or later.
• Update all Chromium-based browsers (Edge, Opera, Brave) to their respective patched versions.
• Enforce automatic browser updates via enterprise Group Policy or MDM solutions.

Remediation Steps:

1. Audit endpoint fleets to identify instances of Chrome or Chromium-based browsers running versions prior to 146.0.7680.75.
2. Deploy the update via centralized patch management systems.
3. Verify the successful installation of the update by querying endpoint browser version telemetry.
4. Instruct users to restart their browsers to ensure the newly installed binaries are actively loaded.

References

• Chrome Stable Channel Update Blog
• Chromium Bug Tracker (Restricted)
• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2026-3910 Detail
• SOC Prime Analysis

---

Read the full report for CVE-2026-3910 on our website for more details including interactive diagrams and full exploit analysis.