Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13938

CVE-2026-13938: Google Chrome RCE Vulnerability

CVE-2026-13938 is a remote code execution vulnerability in Google Chrome caused by an integer overflow in Fonts. Attackers can exploit this via crafted HTML pages. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-13938 Overview

CVE-2026-13938 is an integer overflow vulnerability in the Fonts component of Google Chrome versions prior to 150.0.7871.47. The flaw allows a remote attacker to trigger an out-of-bounds memory write by serving a crafted HTML page to a target browser. Chromium classifies the security severity as Medium, while the National Vulnerability Database (NVD) assigns a CVSS 3.1 base score of 8.8 (High). The vulnerability maps to CWE-472: External Control of Assumed-Immutable Web Parameter and requires user interaction such as visiting a malicious page.

Critical Impact

Successful exploitation enables an out-of-bounds write in the renderer process, which can lead to arbitrary code execution and full compromise of confidentiality, integrity, and availability on the affected system.

Affected Products

  • Google Chrome for Desktop versions prior to 150.0.7871.47
  • Chromium-based browsers embedding vulnerable font handling code
  • Downstream distributions relying on the pre-patch Chromium font pipeline

Discovery Timeline

  • 2026-06-30 - CVE-2026-13938 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-13938

Vulnerability Analysis

The vulnerability resides in the Fonts subsystem of Google Chrome. An integer overflow occurs during size calculations used to allocate or index memory buffers that hold font data parsed from a web page. When the computed value wraps around the integer boundary, the resulting undersized allocation or miscalculated offset produces an out-of-bounds memory write. The write operates within the renderer process address space and can corrupt adjacent objects, function pointers, or metadata used later during execution.

Because the trigger is a crafted HTML page, an attacker only needs the victim to load attacker-controlled content in a tab or iframe. Chained with a sandbox escape, the primitive can lead to full remote code execution on the host.

Root Cause

The root cause is unchecked arithmetic during font-related buffer sizing. The code trusts values derived from font data structures without validating that intermediate multiplications or additions remain within the representable range of the destination integer type. This condition aligns with CWE-472 and typical integer overflow patterns that precede heap corruption.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker hosts a malicious HTML page referencing a crafted font resource or invoking specific font APIs. When a user visits the page, Chrome parses the font input and executes the vulnerable arithmetic path, producing the out-of-bounds write. No authentication is required. Common delivery mechanisms include phishing links, malvertising, and compromised third-party content embedded via iframes.

No public proof-of-concept, exploit code, or in-the-wild exploitation has been reported. The EPSS probability is 0.208% at the 10.9 percentile as of 2026-07-02. Refer to the Chromium Issue Tracker Entry for additional technical context once access restrictions are lifted.

Detection Methods for CVE-2026-13938

Indicators of Compromise

  • Chrome renderer process crashes with heap corruption signatures shortly after loading external HTML or font resources.
  • Unexpected child processes spawned by chrome.exe or chrome following navigation to untrusted domains.
  • Outbound connections from Chrome renderer processes to previously unseen domains hosting font files (.woff, .woff2, .ttf, .otf).

Detection Strategies

  • Inventory installed Chrome versions across the fleet and flag any build below 150.0.7871.47.
  • Correlate browser crash telemetry with recent URL navigation history to surface potential exploitation attempts.
  • Alert on renderer processes writing to disk or launching interpreters such as powershell.exe, cmd.exe, or bash.

Monitoring Recommendations

  • Ingest browser process telemetry and web proxy logs into a centralized analytics platform for correlation.
  • Monitor for anomalous font file downloads from low-reputation domains and block execution when policy permits.
  • Track Chrome auto-update status through endpoint management to confirm patch deployment across managed devices.

How to Mitigate CVE-2026-13938

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.47 or later on all Windows, macOS, and Linux endpoints.
  • Restart Chrome after updating so patched binaries and renderer processes are loaded.
  • Audit Chromium-based browsers and embedded WebViews for equivalent upstream fixes.

Patch Information

Google released the fix in the Stable channel update documented in the Google Chrome Desktop Update advisory. Enterprise administrators should push the update through Chrome Browser Cloud Management, Group Policy, or their standard software distribution tooling. Verify the installed build by navigating to chrome://settings/help on each endpoint.

Workarounds

  • Restrict browsing to trusted sites using web filtering while patch deployment is in progress.
  • Enable Site Isolation and strict Enhanced Safe Browsing to reduce the impact of malicious content.
  • Block downloads and rendering of untrusted font resources at the network proxy where operationally feasible.
bash
# Verify Chrome version on Linux endpoints
google-chrome --version

# Windows: query the installed version from the registry
reg query "HKLM\Software\Google\Chrome\BLBeacon" /v version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.