External risk intelligence

Google Chrome could allow external attackers to execute malicious code on employee devices

Chromium-based browsers like Google Chrome, Microsoft Edge, and Opera could allow external attackers to execute malicious code on employee devices via crafted webpages. This vulnerability is actively being exploited and could compromise operational systems and sensitive company data.

NVD published March 13, 2026 (2 months ago)

External risk briefKnown Exploit

CVE-2026-3910

Halo Surface Signal

1/ 5

This vulnerability impacts client-side browser software. Browsers are client applications that initiate connections to the internet rather than acting as public-facing network services that listen for incoming traffic. Because the vulnerability is situated within client-side software, it does not present a directly reachable, internet-exposed network surface.

Exposure facts

CVSS

8.8

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

KEV

Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability

EPSS

0.69%

H – Horizon Alert

A security vulnerability has been identified within the Chromium browser engine, which powers widely used tools such as Google Chrome, Microsoft Edge, and Opera. This flaw allows a remote attacker to use a specially crafted webpage to execute unauthorized code within the browser's protected environment. This is a significant concern as it poses a risk to the integrity of standard web browsing activities.

A – Asset Exposure

This issue affects widely used web browsers built on the Chromium engine, such as Google Chrome, Microsoft Edge, and Opera. As these tools are standard for navigating the public internet, users may be at risk when visiting malicious or compromised websites. An external attacker could exploit this vulnerability to execute unauthorized commands within the browser, potentially endangering operational systems and sensitive data.

L – Live Threat

This vulnerability is actively being exploited in the wild, as confirmed by its inclusion in the CISA Known Exploited Vulnerabilities catalog. Because the flaw allows for unauthorized code execution within core browser components, it poses a verified and direct risk to systems utilizing this software. Given this documented real-world targeting, the security risk associated with this vulnerability is significant.

O – Operational Fix

To secure your environment, please prioritize updating Google Chrome and all Chromium-based browsers to the latest release provided by the vendor. Ensure your IT teams follow official vendor instructions to apply these updates across all organizational systems promptly. If immediate updates are unavailable for specific applications, please review vendor guidance or implement recommended mitigation steps to protect your environment.