CISA has added CVE‑2026‑3910 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Google’s Chromium V8 engine – the JavaScript engine used by Chromium‑based browsers such as Google Chrome, Microsoft Edge and Opera – and is described as an “Improper Restriction of Operations Within the Bounds of a Memory Buffer” vulnerability.
The vulnerability is a memory‑bounds error that can be triggered by a crafted HTML page. When exploited, it allows a remote attacker to execute arbitrary code inside the browser sandbox. The attack surface is purely remote; no user interaction beyond visiting a malicious page is required. The CVSS v3.1 base score is 8.8, classifying the issue as High. Google released a patch on 13 March 2026 via the normal stable‑channel update for desktop browsers, and the advisory is publicly available.
Because the entry appears in the KEV list, CISA confirms that the vulnerability is being actively exploited in the wild. No ransomware activity has been linked to this CVE at present. CISA has set a remediation deadline of 27 March 2026, giving organisations less than two weeks to address the flaw.
CISA’s required action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The directive applies directly to Federal Civilian Executive Branch (FCEB) agencies, but all organisations that deploy Chromium‑based browsers should assess their exposure, ensure the March 2026 update is applied, and verify that any additional mitigations recommended by Google are in place.
For full technical details, see the NVD entry for CVE‑2026‑3910 and the CISA KEV catalogue.