CVE-2026-4679
Published: 24 March 2026
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2026-4679 is an integer overflow vulnerability in the Fonts component of Google Chrome versions prior to 146.0.7680.165. The flaw allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. It is associated with CWE-190 (Integer Overflow or Wraparound) and CWE-472, and carries a Chromium security severity rating of High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise within the browser's sandboxed context.
Google's stable channel update for desktop, documented at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html, addresses the issue in Chrome 146.0.7680.165. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/491516670. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an integer overflow in Chrome's Fonts component exploited via a crafted HTML page on a malicious website, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).