- 21
- March
Google has issued an emergency patch for CVE-2026-3910, a high-severity zero-day vulnerability in Chrome's V8 JavaScript engine that is actively exploited in the wild. The flaw allows attackers to execute arbitrary code remotely simply by luring victims to a specially crafted web page, affecting billions of Chrome users worldwide.
Update Chrome Now!
If you are running Chrome below version 146.0.7680.75, you may be vulnerable to active exploitation.
Navigate to chrome://settings/help and update immediately — it takes less than a minute.
What Is CVE-2026-3910? — Understanding the V8 Engine
V8 is Google's open-source JavaScript engine that powers Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and many other Chromium-based browsers — as well as server-side runtimes like Node.js and Deno.
CVE-2026-3910 is a Type Confusion vulnerability in the Maglev Compiler (V8's JIT compiler), specifically in its Phi Untagging Pass. This flaw allows attackers to trick the engine into misinterpreting data types, enabling arbitrary code execution within the browser sandbox.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-3910 |
| CVSS Score | 8.8 (High) |
| Vulnerability Type | Type Confusion in Maglev Compiler (V8) |
| Impact | Remote Code Execution (RCE) within Browser Sandbox |
| Reported Date | March 10, 2026 |
| Patch Released | March 14, 2026 |
| Status | Actively Exploited in the Wild |
| CISA KEV | Added to Known Exploited Vulnerabilities Catalog on March 13, 2026 |
In addition to CVE-2026-3910, Google also patched CVE-2026-3909 (CVSS 8.8), a vulnerability in the Skia Graphics Library used by Chrome for rendering. Both vulnerabilities were actively exploited in the wild.
Affected Chrome Versions vs. Patched Versions
| Platform | Vulnerable Versions | Patched Versions |
|---|---|---|
| Windows | Below 146.0.7680.75 | 146.0.7680.75 / 146.0.7680.76 |
| macOS | Below 146.0.7680.75 | 146.0.7680.75 / 146.0.7680.76 |
| Linux | Below 146.0.7680.75 | 146.0.7680.75 |
| Other Chromium-based (Edge, Brave, Opera, Vivaldi) |
Depends on Chromium version used | Monitor vendor-specific patches |
Important: It's Not Just Chrome!
Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi all share the same V8 engine. Organizations must verify that these browsers have also received corresponding patches.
How to Update Chrome — Step by Step
Updating Chrome is straightforward. Follow these steps:
- Open Chrome and type
chrome://settings/helpin the address bar - Chrome will automatically check for updates — wait for the download to complete
- Click "Relaunch" to restart Chrome
- Return to
chrome://settings/helpand verify the version is 146.0.7680.75 or later - For managed enterprise devices, have IT push the update via Group Policy or MDM
For Microsoft Edge, navigate to edge://settings/help | For Brave, navigate to brave://settings/help
Why Zero-Days Are More Dangerous Than Known Vulnerabilities
The term "zero-day" means the vulnerability was exploited before a patch existed. Users had no way to protect themselves until the vendor released a fix, unlike known vulnerabilities where patches are available before widespread exploitation.
| Factor | Zero-Day Vulnerability | Known Vulnerability |
|---|---|---|
| Patch Availability | None at time of exploitation | Patch exists but isn't installed |
| Exposure Window | Unknown — may have been exploited for months | Starts from date of disclosure |
| Defense | Nearly impossible — must wait for patch | Apply patch immediately |
| Black Market Value | Extremely high (millions of dollars for Chrome) | Low — patch already exists |
| Typical Attacker | State-sponsored actors or APT groups | General — even script kiddies |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-3910 to its Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026, mandating that federal agencies apply the fix by March 27, 2026. This underscores the severity of the threat, which aligns with the types of vulnerabilities highlighted in the OWASP Top 10.
Google Disrupts Chinese Cyber Espionage — 53 Organizations Across 42 Countries
Beyond the zero-day patches, Google also revealed it disrupted a major cyberespionage campaign linked to China. The threat group tracked as UNC2814 compromised 53 organizations across 42 countries over the span of nearly a decade.
GRIDTIDE Campaign Details
- Targets: Telecommunications providers and government agencies across Africa, Asia, and the Americas
- Tools: A newly identified backdoor called "Gridtide" that abused Google Sheets as a Command & Control (C2) channel, disguising malicious traffic as normal cloud activity
- Duration: Active since at least 2017 — nearly 9 years
- Google's Response: Shut down all associated infrastructure, sinkholed domains, suspended abused Google Cloud accounts, and terminated access to Google Sheets instances used by the malware
Key Takeaway for Organizations
If state-sponsored hacker groups can use everyday cloud services like Google Sheets as C2 channels, then blocking suspicious URLs alone is insufficient. Organizations need behavioral detection capabilities and must take web application security seriously.
Enterprise Browser Security Checklist
CVE-2026-3910 presents an excellent opportunity to review your organization's browser security posture:
| # | Measure | Details |
|---|---|---|
| 1 | Enable Auto-Update | Configure Group Policy to enable Chrome auto-updates — never disable auto-update |
| 2 | Force Relaunch After Update | Use the RelaunchNotification policy to force users to relaunch within 24-48 hours |
| 3 | Restrict Extensions | Allow only approved extensions — third-party extensions can be attack vectors |
| 4 | Enable Site Isolation | Run each site in its own process to reduce sandbox escape impact |
| 5 | Enable Enhanced Safe Browsing | Use Google Safe Browsing Enhanced mode for real-time phishing and malware detection |
| 6 | Regular Version Audits | Use asset management tools to verify all devices are updated — unpatched devices are weak links |
| 7 | DNS Filtering | Block malicious domains before the browser loads the page |
| 8 | User Training | Educate users about social engineering, phishing, and the risks of clicking unknown links |
Web Application Security and ERP Systems
Vulnerabilities like CVE-2026-3910 remind us that the browser is the front door to every system — including web-based ERP platforms. If a browser is compromised, every piece of data the user accesses through it could be at risk.
A robust ERP system must implement defense in depth:
- HTTPS Everywhere: Encrypt all data between the browser and server
- Content Security Policy (CSP): Prevent XSS and Prototype Pollution attacks
- Prepared Statements: Guard against SQL Injection
- Session Management: Auto-expire sessions and detect session hijacking
- Audit Trail: Log every transaction for forensic review
Saeree ERP Is Built with Security from the Ground Up
Saeree ERP uses an architecture that supports HTTPS, Content Security Policy, Role-based Access Control, and complete Audit Trail for every transaction — backed by APIs designed according to OWASP standards to defend against threats at every level.
In a world where the browser is the gateway to every system, patching is not something you do "when you have time" — it is something you must do immediately, because attackers don't wait.
- Saeree ERP Team
Conclusion
CVE-2026-3910 is a high-severity zero-day (CVSS 8.8) in Chrome's V8 JavaScript engine that has been actively exploited in the wild. It affects all Chromium-based browsers including Edge, Brave, Opera, and Vivaldi. All users must update to version 146.0.7680.75 or later immediately.
Meanwhile, the disruption of the GRIDTIDE campaign — which compromised 53 organizations across 42 countries — serves as a stark reminder that state-sponsored cyber threats are real and spare no organization, including government agencies.
Organizations running web-based ERP systems must prioritize browser security, as the browser is the critical link between users and all sensitive organizational data.
If you are interested in Saeree ERP, a system designed with security as a foundation, contact our team for a free consultation.
References
- The Hacker News — Google Fixes Two Chrome Zero-Days Exploited in the Wild
- BleepingComputer — Google fixes two new Chrome zero-days exploited in attacks
- SecurityWeek — Chrome 146 Update Patches Two Exploited Zero-Days
- Google Cloud Blog — Disrupting the GRIDTIDE Global Cyber Espionage Campaign
- CVE Reports — CVE-2026-3910
