Changeflow GovPing Vulnerability Management V8 in Chrome Vulnerable to Code Execution
Priority review Notice Added Final

V8 in Chrome Vulnerable to Code Execution

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published March 14th, 2026
Detected March 14th, 2026
Email

Summary

CISA has added a vulnerability in Google Chrome's V8 engine to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability (CVE-2026-3910) allows remote code execution and requires federal agencies to patch by March 13, 2026.

View original document View source feed page

What changed

CISA has identified and cataloged a critical vulnerability (CVE-2026-3910) affecting Google Chrome, specifically the V8 JavaScript engine. This vulnerability, rated High severity with a CVSS score of 8.8, allows for arbitrary code execution within a sandbox via a crafted HTML page. The issue is present in Chrome versions prior to 146.0.7680.75. This inclusion in CISA's KEV catalog signifies a known active exploitation threat.

Federal agencies are mandated to apply patches and mitigations for this vulnerability by March 13, 2026, to comply with CISA directives. While this specific deadline applies to federal agencies, all users of affected Chrome versions are strongly advised to update their browsers immediately to the latest version (146.0.7680.75 or later) to protect against potential exploitation. Failure to patch could lead to system compromise and data breaches.

What to do next

  1. Update Google Chrome to version 146.0.7680.75 or later.
  2. For federal agencies, ensure patching is completed by March 13, 2026.

Source document (simplified)

Required CVE Record Information

CNA: Chrome

Description

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected from 146.0.7680.75 before 146.0.7680.75

References 2 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-14

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-03-13 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3910 (2026-03-13)

CWE 1 Total

Learn more
- CWE-119: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |

Related changes

Favicon for www.ice.gov ICE Removes War Criminal and Terrorist to Ethiopia
Priority review Mar 14, 2026 ICE News Releases Compliance Legal
Favicon for www.cisa.gov Google Chrome Skia Out-of-Bounds Write Vulnerability
Priority review Mar 14, 2026 CISA Known Exploited Vulnerabilities (KEV) Vulnerability Management
Favicon for www.irs.gov IRS Internal Revenue Bulletin 2026-12
Priority review Mar 14, 2026 IRS Internal Revenue Bulletin Taxation
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Vulnerability Management
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Published
March 14th, 2026
Compliance deadline
March 13th, 2026 (1 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Software Vulnerabilities Product Safety

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Vulnerability Management alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.