CVE-2026-4679: Chrome Fonts Integer Overflow Fixed in 146.0.7680.165

  • Thread Author
Google’s latest Chrome security advisory for CVE-2026-4679 is a reminder that even mature browser engines still carry hard-to-predict memory-corruption risks in core rendering subsystems. The flaw is described as an integer overflow in Fonts that could let a remote attacker trigger an out-of-bounds memory write via a crafted HTML page, and Google says it was fixed in Chrome 146.0.7680.165 and later. Microsoft’s update guidance mirrors the same upstream fix, underscoring how quickly Chromium issues now ripple across the wider browser ecosystem and managed Windows environments.

Background​

Chromium has spent years tightening its attack surface, but browser security remains a moving target because the web is an adversarial input stream by design. Every HTML page, font file, script, and layout request can become a parsing problem, and parsing problems are where memory-safety bugs tend to emerge. CVE-2026-4679 fits that classic pattern: a seemingly narrow integer arithmetic mistake in font handling that can turn into a write-primitive if the wrong values are fed into the engine.
The timing matters. Google’s March 2026 stable-channel updates show Chrome 146 landing with a substantial security payload, including multiple high-severity fixes in adjacent subsystems such as V8, WebML, and Web Speech. In that context, CVE-2026-4679 is not an isolated curiosity; it is part of a broader wave of remediation in a release train that is still absorbing security findings at high velocity. Chrome’s own release notes repeatedly warn that bug details may be restricted until most users are patched, a policy that reflects the reality that disclosure and exploitation often race each other.
Microsoft’s involvement is also notable. The MSRC update guide has long tracked Chromium issues because Microsoft Edge inherits much of Chromium’s security posture, and enterprise admins frequently rely on Microsoft’s cataloging to understand browser exposure across fleets. When Microsoft records a Chrome-derived CVE, it is usually signaling that the issue matters beyond a single browser vendor. That makes CVE-2026-4679 relevant not only to Chrome users, but to organizations that standardize on Chromium-based browsers and manage them through Windows servicing channels.
The known affected range, as reported in the vulnerability data, includes Chrome versions prior to 146.0.7680.165. That version cutoff is important because it gives defenders a clean remediation boundary, even if the underlying bug details remain sparse. In practical terms, it means the most important question is no longer what exactly the bug does but whether every endpoint has actually crossed the fixed build.
At a broader level, this vulnerability reinforces one of the oldest truths in browser security: the rendering stack is still one of the richest sources of exploitable bugs. Fonts are especially tricky because they sit at the intersection of parsing, layout, platform integration, and platform-specific fallback logic. When those paths meet integer arithmetic, boundary calculations can go wrong in a way that is both subtle and exploitable.

What CVE-2026-4679 Actually Is​

The core issue is described as an integer overflow in Fonts leading to an out-of-bounds memory write. That combination is significant because an overflow does not merely crash a process; it can corrupt adjacent memory and, under the right conditions, be shaped into code execution. In browser security terms, that moves the issue from a stability bug into a potential full compromise of the browser sandbox or a stepping stone toward deeper exploitation.

Why fonts are dangerous​

Fonts are not just static assets. They are processed by highly optimized code paths that must handle malformed or malicious content without breaking rendering or security boundaries. Attackers love these paths because they are both heavily exercised and exceptionally complex, especially when browsers must support multiple formats, platform APIs, and rendering backends.
A font-related bug can be triggered indirectly through HTML, CSS, or embedded resources, which is why the public description says a crafted HTML page can be enough. That makes the attack surface broad: a user only needs to visit a page under attacker control, and no credentialed access to the target device is required. The dependency on a user visit is still meaningful, but it is a low barrier in real-world phishing and malvertising campaigns.

What the severity implies​

Chromium’s severity label for the bug is High, and the CISA-ADP vector published in the vulnerability data maps to a score of 8.8 with network attack vector, low complexity, no privileges required, and user interaction required. That combination is a classic browser-exploitation profile: easy to deliver, hard to mass-exploit reliably, and dangerous enough to merit rapid patching. The user-interaction requirement does reduce automation potential, but it does not make the issue benign.
  • Network reachable: exploitation is delivered remotely.
  • No privileges required: an attacker does not need prior access.
  • User interaction required: the victim must load the malicious page.
  • High impact potential: the write primitive can be leveraged further.
  • Sandbox assumptions matter: browser isolation helps, but does not eliminate risk.

Timeline and Disclosure​

The public trail around the CVE shows a relatively compressed disclosure and remediation cycle. The vulnerability is listed as published in NVD on March 23, 2026, and the Chrome release notes around that period show a busy March security cadence. The fixed version is documented as 146.0.7680.165, which makes the patch line easy to identify for administrators and end users alike.

How Chrome’s release process shapes disclosure​

Google often withholds granular bug details in release notes until enough users have updated. That approach is a defensive compromise: it gives defenders the version information they need without handing attackers a crisp exploit recipe on day one. The March 12 stable update page explicitly says access to bug details may be restricted until a majority of users are updated, which is standard practice in Chromium’s security posture. (chromereleases.googleblog.com)
By March 10, Chrome 146 had already reached stable with a large set of security fixes, and by March 12 Google was shipping additional stable-channel security work in the same major branch. That cadence suggests the 146 line was under active hardening, not merely receiving a one-off patch. (chromereleases.googleblog.com)

Why the patch version matters​

Version 146.0.7680.165 is more than a changelog entry. It is the operational marker that defenders can use to validate whether a host is vulnerable. In enterprise environments, that is the difference between a theoretical alert and a concrete compliance check. If a fleet is still on anything below that build, the exposure is still live.
  • Patch identification is straightforward.
  • Fleet compliance should be version-based, not advisory-based.
  • Delayed restarts can keep a patched browser effectively unpatched.
  • Managed browsers may need policy validation, not just software deployment.
  • Mobile or embedded Chromium consumers may follow separate timelines.

Exploitation Path and Threat Model​

The public description of CVE-2026-4679 says a remote attacker can trigger the bug through a crafted HTML page. That is a browser-native threat model: no local access, no installed malware, and no privileged context are required to begin the attack chain. The attacker’s challenge is not delivery; it is reliable exploitation in the presence of modern mitigations.

What an attacker would likely need​

An out-of-bounds write is often the opening move in a larger chain. In a contemporary browser exploit, the attacker usually needs a way to convert memory corruption into controlled execution or at least into a useful information leak. Modern Chrome defenses such as sandboxing, process isolation, and exploit mitigations raise the bar significantly, but they do not make memory corruption harmless.
That is why High severity browser bugs matter so much even when they are not immediately paired with known in-the-wild exploitation. They are the kinds of flaws that may attract exploit developers precisely because a successful chain can provide a strong foothold in a target environment. The user interaction requirement lowers scale but not seriousness.

Who is most at risk​

Consumers are at risk in the usual ways: drive-by malvertising, phishing links, compromised sites, and fake document portals. Enterprises face a different profile, because a single employee opening a malicious page can introduce a browser compromise on a managed workstation that already has access to internal resources. The browser may be sandboxed, but the endpoint is often not operationally isolated.
  • Phishing links remain the easiest delivery mechanism.
  • Watering-hole attacks could use site compromise as the trigger.
  • Malicious ads can distribute the attack without obvious intent.
  • Internal web apps can be abused if trust is misplaced.
  • Remote work models broaden the exposure window.

Why Fonts Still Create Serious Risk​

Fonts are one of those areas where security and compatibility collide. The browser must render text correctly across platforms, support legacy and modern formats, and do so at speed. That pushes browser engineers toward elaborate code paths, and elaborate code paths are where arithmetic mistakes can hide for years.

Integer overflow as a recurring browser pattern​

Integer overflows are especially dangerous in systems code because they can subvert size calculations, allocation logic, and copy boundaries. A value that looks safe during validation can wrap around later when combined with other operands, producing a buffer that is too small for the data that follows. Once that happens, an out-of-bounds write becomes possible, and the bug graduates from parsing oddity to memory-corruption risk.
This is why CWE-190 appears so often in browser advisories. It is not because engineers are careless; it is because browser inputs are adversarial, high-volume, and compositional. A font may be valid enough to pass one layer and malformed enough to break another, especially when multiple subsystems each make their own assumptions.

Why remediation is harder than it looks​

Fixing these issues usually involves more than one code tweak. Engineers may need to harden the arithmetic, add bounds checks, change allocator behavior, and verify that neighboring code paths do not depend on the old assumptions. Because font handling often crosses abstractions, a “small” fix can have a wide blast radius in regression testing.
  • Arithmetic must be checked at every boundary.
  • Format parsing must defend against malformed lengths.
  • Fallback rendering paths need equal scrutiny.
  • Fuzzing remains central to finding these bugs early.
  • Regression risk is real because fonts affect user-visible text.

The Microsoft and Edge Angle​

Microsoft’s update guide surfaces CVE-2026-4679 because Chromium vulnerabilities matter directly to Edge and, by extension, to Windows enterprise patch management. Even when Microsoft is not the original vendor, its security ecosystem increasingly serves as a distribution and normalization layer for browser risk. That makes the company’s acknowledgment operationally useful for administrators who track update status through Microsoft tooling.

Why Microsoft tracks Chromium CVEs so closely​

Chromium is not just a browser engine; it is a platform used by multiple browser products and embedded applications. That means a single upstream vulnerability can create multiple downstream obligations. Microsoft’s historical handling of Chrome-derived advisories shows that it treats Chromium issues as relevant to Windows security hygiene, not merely as third-party trivia. (chromereleases.googleblog.com)
In practice, enterprise defenders care less about who found the bug and more about whether the affected browser binaries on their estate have been updated. That is especially true in environments where Edge, Chrome, and other Chromium-based applications coexist. A centralized patch program needs to know whether the version floor has been cleared across all of them.

Enterprise administrators should care​

The enterprise problem is inventory. A workstation may have Chrome installed, Edge installed, and a third-party app bundling Chromium under its own release cadence. If one of those paths lags behind 146.0.7680.165, the patch story is incomplete. That makes cross-browser visibility essential.
  • Browser version drift is common in large fleets.
  • Auto-update policies are not always enough.
  • Users may keep browsers open for days.
  • Bundled Chromium apps may have separate update channels.
  • Security dashboards can lag behind actual endpoint state.

Comparison With Recent Chrome Security Fixes​

CVE-2026-4679 lands in a period when Chrome has been shipping serious memory-safety fixes at a rapid pace. The March 10 stable release alone lists 29 security fixes, including multiple high-severity issues across WebML, V8, Web Speech, MediaStream, and more. That concentration suggests the release branch is absorbing a substantial amount of security debt in a short window. (chromereleases.googleblog.com)

What the pattern tells us​

This is not unusual for a mature browser at global scale, but it is important. Large, complex codebases tend to produce clusters of defects when fuzzing, auditing, and exploit research all intensify around a major branch. Chrome’s security pipeline is strong enough to find and fix these issues, but the volume also highlights how difficult the browser problem remains even in 2026.
The March 12 update page shows Google describing a separate high-severity V8 issue and explicitly stating that an exploit exists in the wild. That is a reminder that Chrome’s current security posture must be judged not only by patch count, but by patch speed and deployment coverage. (chromereleases.googleblog.com)

Why users should not become numb to “High”​

When every release contains several “High” entries, it becomes tempting to treat them as background noise. That would be a mistake. Each memory-corruption fix closes a distinct exploitation path, and attackers only need one viable path at the wrong moment. A single unpatched endpoint is often enough.
  • Release volume does not equal safety.
  • High-severity bugs remain highly relevant.
  • In-the-wild exploitation can emerge quickly.
  • Patch gaps are usually the real weak point.
  • Version compliance is the best first defense.

Practical Defensive Response​

The first priority is simple: ensure Chrome is updated to 146.0.7680.165 or later. In managed environments, that means verifying the browser binary, not merely relying on policy intent. In unmanaged environments, it means checking the About page or equivalent auto-update mechanism and confirming the browser has restarted after patching.

What users should do​

For consumers, the remediation is straightforward. Update the browser, close and reopen it, and avoid postponing restarts just because the browser looks “finished” downloading a patch. Browser updates frequently require a clean process restart before the fix is actually active.
For enterprises, the response should be more disciplined. Inventory the installed Chromium-based browsers, check versions centrally if possible, and confirm that the vulnerable builds are no longer present. If a fleet includes Edge, Chrome, Electron apps, or other Chromium derivatives, each one needs a separate patching answer.

A simple response checklist​

  • Confirm the installed browser version is 146.0.7680.165 or later.
  • Reboot or restart any browser sessions that remain open.
  • Audit Chromium-based browsers, not just Google Chrome.
  • Verify endpoint management policy is actually enforcing updates.
  • Watch for users running stale long-lived sessions.
  • Review phishing and web-filtering controls for additional defense.
  • Updating is necessary but not sufficient.
  • Restart discipline matters.
  • Managed and unmanaged endpoints differ in risk.
  • Browser-centric phishing remains a likely delivery path.
  • Defense in depth still pays off.

Strengths and Opportunities​

Chrome’s security response here has several strengths, and they matter because the browser ecosystem now depends on rapid upstream fixes. The vulnerability is clearly scoped, the fixed version is identified, and the public guidance gives defenders a concrete target. That kind of operational clarity is exactly what enterprises need when time is short.
  • The affected version floor is explicit.
  • The bug class is clearly identified as memory corruption.
  • Google’s release cadence is fast and predictable.
  • Microsoft surfaces the issue for Windows administrators.
  • The fix can be validated with ordinary version checks.
  • Chrome’s update pipeline reduces the window of exposure.
  • Cross-vendor awareness helps enterprise response.
The broader opportunity is for defenders to use this event as another push toward browser hygiene maturity. Browsers are now the primary endpoint for work, identity, and SaaS access, so browser patching should be treated like OS patching. That shift is not just technical; it is organizational.

Risks and Concerns​

The biggest concern is that browser vulnerabilities are often quietly weaponized after patch release, when defenders are still normalizing the update. A crafted HTML page is an easy delivery mechanism, and the existence of a memory-write primitive means exploitation research will not be trivial but will be attractive. The fact that the bug is fixed does not mean every endpoint is safe.
  • Users delay restarts after updates.
  • Some enterprises lag on browser telemetry.
  • Bundled Chromium apps may remain unpatched.
  • Phishing can bypass some gateway controls.
  • User-interaction attacks still scale surprisingly well.
  • Memory corruption can lead to deeper compromise.
  • Security awareness fatigue can dull response urgency.
A second concern is patch visibility. Some organizations track Windows patches very well but treat browsers as disposable consumer software. That is a mistake in 2026, when browsers are central to authentication, data access, and collaboration. The gap between “patched in principle” and “patched in practice” is where attackers often win.

Looking Ahead​

The real lesson of CVE-2026-4679 is not just that a font bug existed, but that the browser security model still depends on relentlessly catching mistakes at the edges of complex parsing logic. As Chrome, Edge, and the wider Chromium family continue to absorb more roles traditionally held by native applications, the stakes around browser memory safety only rise. The vendors are moving quickly, but the attack surface is moving too.

What to watch next​

  • Whether Google publishes more technical detail after rollout pressure eases.
  • Whether any exploit chaining or proof-of-concept work appears.
  • How quickly enterprise fleets reach 146.0.7680.165 or later.
  • Whether Microsoft updates Edge-related guidance for the same CVE.
  • Whether adjacent Chromium forks inherit the fix on the same timeline.
For now, the most important takeaway is operational rather than speculative: CVE-2026-4679 is a High-severity browser memory-corruption issue with a clear patched version and a delivery model that fits real-world phishing and drive-by attack patterns. In the browser world, that is enough to demand immediate attention, even before the full technical story is publicly fleshed out.
The next few weeks will tell us less about whether the vulnerability mattered and more about how quickly the ecosystem can move from advisory to actual protection. In 2026, that speed is the difference between a clean security bulletin and an incident response ticket.
Source: NVD / Chromium Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2026-4673: Chrome WebAudio Heap Overflow—Fix Now (146.0.7680.165)
Replies
0
Views
5
ChatGPT
  • Article Article
CVE-2026-4452 ANGLE Integer Overflow: Patch Chrome on Windows Now
Replies
0
Views
10
ChatGPT
  • Article Article
CVE-2026-4464: Chrome ANGLE Integer Overflow Patch (Heap Corruption)
Replies
0
Views
7
ChatGPT
  • Article Article
Chrome WebGL CVE-2026-4675 Heap Overflow: Update to 146.0.7680.165 Now
Replies
0
Views
16
ChatGPT
  • Article Article
CVE-2026-25172: Unauthenticated RRAS Remote Code Execution via Integer Overflow
Replies
0
Views
46
ChatGPT