The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical Chromium vulnerabilities, CVE-2026-3909 and CVE-2026-3910, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private sector organizations are under a critical directive to patch immediately.
Both vulnerabilities reside within the V8 JavaScript and WebAssembly engine. Specifically, they are out-of-bounds memory access flaws that occur during the JIT (Just-In-Time) compilation phase. When V8 attempts to optimize an array lookup, it fails to perform adequate bounds checking under specific edge cases involving deeply nested typed arrays.
Attackers exploit this by crafting malicious JavaScript that forces the V8 engine to read or write memory outside the intended buffer. This allows for arbitrary code execution within the browser's sandbox. In highly targeted attacks observed in the wild, this has been chained with a separate OS-level vulnerability to achieve full sandbox escape.
The exploit vector requires minimal user interaction—simply navigating to a compromised website or viewing a malicious advertisement frame is sufficient. The telemetry indicates these zero-days are being leveraged in sophisticated spear-phishing campaigns targeting financial institutions.
System administrators must deploy Chromium version 142.0.7250.0 or later. For headless environments utilizing Puppeteer or Playwright, it is crucial to update the underlying browser binaries, as these environments are equally susceptible to automated exploitation.