Detect CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation in Splunk
Detects exploitation attempts and post-exploitation indicators related to CVE-2026-3910, an improper restriction of operations within the bounds of a memory buffer (CWE-119) in Google Chromium's V8 JavaScript engine. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve remote code execution via a malicious web page, potentially leading to sandbox escape and full system compromise.
MITRE ATT&CK
SPL Detection Query
index=endpoint sourcetype=crowdstrike:events:sensor OR sourcetype=sysmon
| eval parent=lower(ParentImage), proc=lower(Image)
| where (parent LIKE "%chrome.exe" OR parent LIKE "%msedge.exe")
AND (proc IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe","wmic.exe"))
| eval detection_source="child_process_spawn"
| append [
search index=wineventlog EventCode=1000 OR EventCode=1001 (Application="chrome.exe" OR Application="msedge.exe")
| eval detection_source="application_crash"
| table _time, host, Application, EventCode, Message, detection_source
]
| append [
search index=network sourcetype=firewall OR sourcetype=proxy
| where (src_process="chrome.exe" OR src_process="msedge.exe")
| where NOT (dest_port=80 OR dest_port=443)
| where NOT match(dest_ip,"^(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.)")
| eval detection_source="anomalous_network"
| table _time, host, src_process, dest_ip, dest_port, detection_source
]
| stats count by _time, host, detection_source, proc, parent
| sort -_timeDetects Chromium V8 exploitation indicators including suspicious child process spawning from Chrome/Edge, application crash events, and anomalous outbound network connections from browser processes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Browser automation frameworks such as Selenium WebDriver may legitimately spawn cmd.exe or PowerShell as part of test execution
- Enterprise software deployment tools may use browser processes as launch points for legitimate installers
- Browser crash events are common and may be caused by faulty extensions, incompatible codecs, or memory pressure unrelated to exploitation
- IT management solutions may establish non-standard outbound connections from browser processes
Other platforms for CVE-2026-3910
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Chrome Spawning PowerShell Child Process
Expected signal: Sysmon EventID 1 showing powershell.exe with ParentImage chrome.exe; DeviceProcessEvents alert in MDE; CrowdStrike ProcessRollup2 with ParentBaseFileName=chrome.exe and FileName=powershell.exe
- Test 2Simulate Chrome Spawning certutil for Payload Download
Expected signal: Sysmon EventID 1 with ParentImage chrome.exe and Image certutil.exe; network connection attempt to 127.0.0.1:8080; file creation event in C:\Windows\Temp\
- Test 3Simulate Chrome Crash with Access Violation Exception
Expected signal: Windows Application EventLog EventID 1000 with Faulting application name matching the test process; exception code 0xC0000005 (STATUS_ACCESS_VIOLATION) visible in event data
- Test 4Simulate Anomalous Outbound Connection from Chrome Process
Expected signal: Network flow log showing outbound TCP SYN to 203.0.113.1:4444 (TEST-NET-3, RFC 5737 — safe for testing); process name visible in socket tracking if using eBPF-based EDR
Unlock Pro Content
Get the full detection package for CVE-2026-3910 including response playbook, investigation guide, and atomic red team tests.