Description
Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow (CWE-472) in the way Chrome processes font data. An attacker can craft a malicious HTML page that causes Chrome to execute arbitrary code while still inside the browser sandbox. The flaw carries a medium severity label from Chromium, but because it leads to remote code execution, the overall impact is substantial for the affected user.

Affected Systems

Google Chrome browsers running any desktop operating system with a version older than 148.0.7778.168. The issue applies to all product releases that use the affected font handling code.

Risk and Exploitability

The exploit requires the victim to open a specially crafted HTML page, which can be delivered through a web site, email, or other remote content. The CVSS score of 8.8 indicates high severity, and the EPSS score of <1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits remote code execution within a sandbox, the risk remains high if an attacker manages to trigger it, especially in environments where Chrome is widely deployed and not kept up to date.

Generated by OpenCVE AI on May 15, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 148.0.7778.168 or later.
  • Enable automatic updates for Chrome to ensure timely reception of security patches.
  • Identify and update all Chromium‑based applications on the network that may contain the same font handling code.

Generated by OpenCVE AI on May 15, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Font Handling Integer Overflow Enabling Remote Code Execution chromium-browser: chromium-browser: Integer overflow in Fonts
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Chrome Font Handling Integer Overflow Enabling Remote Code Execution

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-472
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-15T03:56:40.651Z

Reserved: 2026-05-14T05:40:26.059Z

Link: CVE-2026-8577

cve-icon Vulnrichment

Updated: 2026-05-14T20:45:55.307Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:20.063

Modified: 2026-05-14T21:19:23.923

Link: CVE-2026-8577

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T19:52:40Z

Links: CVE-2026-8577 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T15:30:02Z

Weaknesses