CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation
Detects exploitation attempts and post-exploitation indicators related to CVE-2026-3910, an improper restriction of operations within the bounds of a memory buffer (CWE-119) in Google Chromium's V8 JavaScript engine. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve remote code execution via a malicious web page, potentially leading to sandbox escape and full system compromise.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Product
- Chromium V8
Weakness (CWE)
Timeline
- Disclosed
- March 13, 2026
CVSS
What is CVE-2026-3910 CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation?
CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation (CVE-2026-3910) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceProcessEvents, DeviceCrashEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousChildProcs = dynamic(['cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe','certutil.exe','bitsadmin.exe','wmic.exe']);
DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where InitiatingProcessFileName =~ 'chrome.exe' or InitiatingProcessFileName =~ 'msedge.exe'
| where FileName in~ (suspiciousChildProcs)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName
| union (
DeviceCrashEvents
| where TimeGenerated >= ago(7d)
| where FileName =~ 'chrome.exe' or FileName =~ 'msedge.exe'
| where ExceptionCode in ('0xC0000005','0xC0000094','0x80000003')
| project TimeGenerated, DeviceName, FileName, ExceptionCode, ExceptionAddress
)
| union (
DeviceNetworkEvents
| where TimeGenerated >= ago(7d)
| where InitiatingProcessFileName =~ 'chrome.exe'
| where RemotePort !in (80, 443)
| where not(ipv4_is_private(RemoteIP))
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
)
| sort by TimeGenerated descDetects Chrome/Edge spawning suspicious child processes indicative of V8 exploitation, browser crash events with memory violation exception codes, and anomalous outbound network connections from the browser process that may signal post-exploitation activity.
Data Sources
Required Tables
False Positives
- Legitimate browser automation tools (Selenium, Playwright) may spawn cmd.exe or PowerShell as child processes of chrome.exe
- Browser crash events may occur due to unrelated software instability or incompatible extensions
- Enterprise management software may legitimately invoke browser processes with non-standard child processes
- Development environments running Node.js or V8-based tooling may trigger similar patterns
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation (CVE-2026-3910) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-3910
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Chrome Spawning PowerShell Child Process
Expected signal: Sysmon EventID 1 showing powershell.exe with ParentImage chrome.exe; DeviceProcessEvents alert in MDE; CrowdStrike ProcessRollup2 with ParentBaseFileName=chrome.exe and FileName=powershell.exe
- Test 2Simulate Chrome Spawning certutil for Payload Download
Expected signal: Sysmon EventID 1 with ParentImage chrome.exe and Image certutil.exe; network connection attempt to 127.0.0.1:8080; file creation event in C:\Windows\Temp\
- Test 3Simulate Chrome Crash with Access Violation Exception
Expected signal: Windows Application EventLog EventID 1000 with Faulting application name matching the test process; exception code 0xC0000005 (STATUS_ACCESS_VIOLATION) visible in event data
- Test 4Simulate Anomalous Outbound Connection from Chrome Process
Expected signal: Network flow log showing outbound TCP SYN to 203.0.113.1:4444 (TEST-NET-3, RFC 5737 — safe for testing); process name visible in socket tracking if using eBPF-based EDR
Unlock Pro Content
Get the full detection package for CVE-2026-3910 including response playbook, investigation guide, and atomic red team tests.