CVE-2026-7904 Overview
CVE-2026-7904 is an out-of-bounds read vulnerability in the Fonts component of Google Chrome versions prior to 148.0.7778.96. A remote attacker can trigger an out-of-bounds memory read by serving a crafted HTML page to a victim. Chromium classifies the security severity as High, while the NVD CVSS 3.1 base score is 4.3 (Medium).
The flaw is tracked as [CWE-125: Out-of-bounds Read] and affects Chrome on Windows, macOS, and Linux. Exploitation requires user interaction, typically loading an attacker-controlled web page. The issue can disclose process memory contents to the attacker, potentially aiding follow-on exploitation.
Critical Impact
A crafted HTML page can read out-of-bounds memory in the Chrome Fonts component, leaking sensitive process data to a remote attacker.
Affected Products
- Google Chrome versions prior to 148.0.7778.96
- Google Chrome on Microsoft Windows
- Google Chrome on Apple macOS and Linux
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-7904 published to NVD
- 2026-05-06 - Google publishes Stable Channel update for desktop addressing the issue
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7904
Vulnerability Analysis
The vulnerability resides in Chrome's Fonts handling code, which parses font data referenced by web content. When the browser processes a maliciously crafted font or font-related structure embedded in an HTML page, the parser reads memory outside the bounds of the intended buffer. This out-of-bounds read can return adjacent process memory to attacker-controlled JavaScript or rendering logic.
The attack is remote and requires user interaction, which in browser contexts means visiting a page or rendering attacker-controlled content. The scope is unchanged, and the impact is limited to confidentiality. There is no integrity or availability impact in the recorded CVSS metrics.
Root Cause
The root cause is missing or insufficient bounds checking in the Fonts component when interpreting font tables or glyph metadata. The parser trusts size or offset fields supplied by the input without validating them against the actual buffer length. As a result, read operations extend past the allocated region.
Attack Vector
An attacker hosts a crafted HTML page that references or embeds a malicious font payload. When a victim using a vulnerable Chrome build loads the page, the renderer parses the font and performs the out-of-bounds read. Disclosed bytes may include heap layout information, pointers, or sensitive data useful for bypassing Address Space Layout Randomization (ASLR) in chained exploits.
No proof-of-concept exploit is publicly listed for CVE-2026-7904, and the vulnerability is not on the CISA Known Exploited Vulnerabilities catalog. Technical details are tracked in Chromium Issue Tracker #492350406.
Detection Methods for CVE-2026-7904
Indicators of Compromise
- Chrome renderer crashes or unexpected termination logs referencing the Fonts component on pages from untrusted origins.
- Outbound connections from end-user hosts to recently registered or low-reputation domains hosting font-heavy HTML payloads.
- Browser telemetry showing Chrome versions older than 148.0.7778.96 still in active use.
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any build below 148.0.7778.96.
- Monitor web proxy and DNS logs for requests to suspicious sites delivering custom @font-face resources or unusual font MIME types.
- Correlate renderer process crashes with browsing history to identify potential exploitation attempts.
Monitoring Recommendations
- Enable browser version reporting through enterprise management tools such as Chrome Browser Cloud Management.
- Ingest endpoint browser telemetry into a central data lake to query for outdated Chrome installations at scale.
- Track Google Chrome Stable Update advisories to align detection content with each release cycle.
How to Mitigate CVE-2026-7904
Immediate Actions Required
- Update Google Chrome to version 148.0.7778.96 or later on Windows, macOS, and Linux endpoints.
- Force a browser restart after the update so the patched binary is loaded into memory.
- Verify that auto-update is enabled and not blocked by group policy or network controls.
Patch Information
Google has released the fix in the Stable Channel update for desktop. Administrators should reference the Google Chrome Stable Update announcement and deploy 148.0.7778.96 or higher. Embedded Chromium-based products should pick up the corresponding upstream fix once vendors release updated builds.
Workarounds
- Restrict browsing to trusted sites using URL allow-listing where business needs allow.
- Disable or block web fonts via enterprise policy on high-risk endpoints until patching is complete.
- Apply Site Isolation and ensure renderer sandboxing is enforced to limit the value of leaked memory.
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version
# Windows: query installed Chrome version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
