CVE-2026-4679
Published: 24 March 2026
Summary
CVE-2026-4679 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4679 is an integer overflow vulnerability in the Fonts component of Google Chrome versions prior to 146.0.7680.165. The flaw allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. It is associated with CWE-190 (Integer Overflow or Wraparound) and CWE-472, and carries a Chromium security severity rating of High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, as it requires user interaction but no special privileges. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise within the browser's sandboxed context.
Google's stable channel update for desktop, documented at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html, addresses the issue in Chrome 146.0.7680.165. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/491516670. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14686
Vulnerability details
Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an integer overflow in Chrome's Fonts component exploited via a crafted HTML page on a malicious website, enabling drive-by compromise (T1189) and exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-4679 by requiring timely flaw remediation through installation of the Chrome 146.0.7680.165 patch addressing the Fonts integer overflow.
Provides memory protection mechanisms such as non-executable memory and address space randomization to counter the out-of-bounds memory write enabled by this integer overflow vulnerability.
Requires vulnerability scanning to identify systems running vulnerable Chrome versions prior to 146.0.7680.165 affected by this Fonts component integer overflow.