COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-3910

CVE-2026-3910

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-03-13
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-3910
⚡ RCE ⌖ exploited in the wild shame 85/100 rceexploited-in-wildransomwaresupply-chaindata-breachunpatched

Google Chromium V8 allows remote code execution via crafted HTML pages, enabling attackers to bypass sandbox protections.

This vulnerability permits arbitrary code execution within the browser sandbox through a crafted HTML page, posing a severe risk to DIB organizations relying on Chromium-based browsers for web-based tools or portals. Immediate patching is critical to prevent remote attackers from exploiting this flaw to compromise user sessions or escalate privileges.

Shame score — Google shipped a high-severity RCE vulnerability in a widely deployed browser engine that was actively exploited in the wild, indicating a failure in timely detection and patching.

Players implicated

Google · vendorChromium V8 · product

Description

Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Affected FedRAMP products 2 in the catalog

ProductProviderStatusMatch
Google Services (Google Cloud Platform Products and underlying Infrastructure) Google Authorized vendor-exact · 0.90
Google Workspace Google Authorized vendor-exact · 0.90