Two Actively Exploited Chrome Zero-Days Hit V8 — the Engine That Runs WebAssembly in Every Browser-Based File Tool
CVE-2026-3909 and CVE-2026-3910 are confirmed exploited in the wild. CVE-2026-3910 targets V8, Chrome's JavaScript and WebAssembly runtime — the same engine powering every privacy-first, browser-based file processing tool. CISA patch deadline: March 27, 2026.
VaultTools · March 26, 2026
Photo by Alexandre Debiève on Unsplash
Table of Contents
- What happened
- What each vulnerability does
- Why CVE-2026-3910 matters for browser-based file tools
- What the CISA KEV listing signals
- What users should do now
- Sources
What Happened
On March 10, 2026, Google’s own security team discovered two zero-day vulnerabilities in Chrome and confirmed both were actively exploited in the wild. Google released Chrome 146.0.7680.80 on March 16, 2026, patching both flaws:
- CVE-2026-3909 (CVSS 8.8): an out-of-bounds write in Skia, Chrome’s 2D graphics rendering library
- CVE-2026-3910 (CVSS 8.8): an inappropriate implementation in V8, Chrome’s JavaScript and WebAssembly engine
Both allow a remote attacker to execute arbitrary code or perform out-of-bounds memory access via a crafted HTML page, with no user action beyond loading the page in an unpatched browser. On March 13, 2026, CISA added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog with a mandatory remediation deadline of March 27, 2026, for all U.S. Federal Civilian Executive Branch agencies.
A separate March 18, 2026, Chrome stable update (version 146.0.7680.153) patched 26 additional vulnerabilities across WebGL, WebRTC, Blink, ANGLE, PDFium, and the network stack.
What Each Vulnerability Does
CVE-2026-3909 is an out-of-bounds write in Skia, the graphics library responsible for rendering all visual content in Chrome: web pages, canvas elements, SVG, and embedded documents such as PDFs. An attacker who triggers this bug via a crafted page can corrupt memory adjacent to the graphics buffer, potentially enabling code execution or a browser crash without user interaction beyond visiting the page.
CVE-2026-3910 sits in V8, the engine Chrome uses to compile and run both JavaScript and WebAssembly. According to the CISA KEV entry, the flaw “allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.” Qualys rated both CVEs with a Qualys Vulnerability Score of 95 out of 100, reflecting confirmed in-the-wild exploitation.
Why CVE-2026-3910 Matters for Browser-Based File Tools
Privacy-first browser-based file tools use WebAssembly for core processing. When a user runs a PDF merge, image conversion, or JSON formatter entirely in the browser, the tool’s compiled Wasm module loads and executes inside V8. The file never reaches a server. The processing happens locally, inside the same engine that CVE-2026-3910 targets.
This does not make those tools the attack vector. The vulnerability is triggered by a malicious HTML page, not by a trusted Wasm binary. A well-written Wasm module compiled from Rust or C contains no exploit payload. But if a user’s Chrome is unpatched, any Wasm-executing tab in that browser runs on compromised runtime infrastructure.
The principle holds: local file processing protects your data from server-side breaches, third-party access, and cloud storage exposure. It does not substitute for patching the browser engine itself. Both layers require attention.
What the CISA KEV Listing Signals
CISA’s Known Exploited Vulnerabilities catalog records flaws confirmed as exploited by real threat actors in production environments, not theoretical proof-of-concept attacks. Inclusion creates a mandatory patching obligation for U.S. federal agencies and serves as a standard-of-care benchmark for private-sector security teams.
The turnaround from Google’s patch release (March 16) to CISA’s KEV listing (March 13, three days before the stable release) reflects the severity of confirmed exploitation. Google issued a preliminary advisory on March 13 ahead of the full stable channel update on March 16. The March 27 deadline gives federal agencies 14 days from discovery to deploy the fix across managed endpoints.
What Users Should Do Now
Open Chrome and go to chrome://settings/help. If the displayed version is below 146.0.7680.80, Chrome will begin updating automatically on that page. Restart the browser after the update completes to apply it.
The same V8 engine ships in all Chromium-based browsers. Users of Microsoft Edge, Brave, Opera, and Vivaldi should check their respective vendor advisories for equivalent patches addressing the same vulnerability class.
Sources
- Google Patches Two Chrome Vulnerabilities Exploited in the Wild (CVE-2026-3909 & CVE-2026-3910) (Qualys ThreatPROTECT, March 16, 2026)
- Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 (Vulert)
- Google rushes Chrome update to fix zero-days under attack (The Register, March 13, 2026)
- Google patches two Chrome zero-days under active attack (Malwarebytes, March 13, 2026)
- Chrome Under Attack: Google Patches Two Actively Exploited Zero-Day Vulnerabilities (CISO Node)
- CVE-2026-3909 and CVE-2026-3910 Chrome Zero-Day Exploited (CVSS 8.8) (Purple Ops)
- Google Chrome Update Fixes 26 Security Flaws, Including RCE Vulnerabilities (CyberPress)
- CISA Known Exploited Vulnerabilities Catalog (CISA)