CVE-2026-11299: Integer Overflow in Google Chrome Font Processing (Medium Severity)
A flaw in how Google Chrome handles font data can lead to information disclosure when a user visits a malicious webpage. An attacker can craft a specially designed HTML page that exploits an integer overflow vulnerability in Chrome's font processing code, potentially allowing them to read sensitive data from the browser's memory. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction (visiting the malicious site) to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125, CWE-190
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Integer overflow in Fonts in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11299 is an integer overflow vulnerability (CWE-190) in the font rendering subsystem of Google Chrome prior to version 149.0.7827.53. The flaw stems from improper bounds checking (CWE-125) in font data processing, which permits an attacker to cause an out-of-bounds read operation. When triggered via a crafted HTML page delivered over the network, the vulnerability enables memory disclosure that may expose sensitive process information. The CVSS 3.1 score of 6.5 (Medium severity) reflects the network attack vector, low complexity, lack of privilege requirements, and requirement for user interaction, balanced against high confidentiality impact with no integrity or availability compromise.
Business impact
This vulnerability primarily affects confidentiality. Organizations should evaluate whether Chrome is used to access sensitive data or systems in their environment. The information disclosure could expose session tokens, authentication credentials, or other sensitive values cached in memory. While the attack requires a user to navigate to a malicious page, modern environments with web browsing controls may face lower risk. The Medium CVSS rating suggests this is not immediately critical compared to high-severity vulnerabilities, but should be prioritized given its network exploitability and relatively easy trigger mechanism.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are directly affected. The vulnerability applies across all supported platforms including Windows, macOS, and Linux systems running vulnerable Chrome builds. Organizations deploying Chrome across heterogeneous environments should prioritize updates universally. Other Chromium-based browsers may also be affected depending on their inclusion of the vulnerable code path; verify vendor advisories for Edge, Opera, and other derivatives.
Exploitability
Exploitation requires network access and user interaction—specifically, a user must visit a malicious or compromised website. The attack surface is broad since any webpage can serve the crafted HTML payload. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no evidence of active exploitation in the wild at the time of publication, though this does not preclude future weaponization. The straightforward attack chain (malicious page → user visit → memory disclosure) makes this feasible for moderately skilled threat actors.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. Most users on Chrome's automatic update track will receive the patch transparently. Enterprise environments should verify patch deployment through configuration management tools and browser version reporting. For Chromium-based alternatives, check vendor advisories to confirm patch availability and version numbers. No workarounds exist; patching is the primary mitigation. Consider supplementary controls such as disabling JavaScript or restricting visited domains if immediate patching is not feasible, though these significantly degrade user experience.
Patch guidance
Google has released Chrome 149.0.7827.53 as the patch version addressing this vulnerability. Users can verify their current version via Chrome Menu > About Google Chrome, which will also automatically check and install available updates. Enterprise administrators should deploy this version through their standard Chrome management channels (Google Admin Console, Windows WSUS, macOS MDM, or Linux package managers depending on deployment model). Verify successful deployment by confirming all client machines report version 149.0.7827.53 or later. No compatibility issues are anticipated with this patch release.
Detection guidance
Monitor Chrome version reporting across your fleet using endpoint detection and response (EDR) tools, mobile device management (MDM), or browser telemetry solutions. Alert on any instances still running Chrome versions before 149.0.7827.53. For network detection, intrusion detection systems may flag anomalous font processing requests, though no specific signature exists for this vulnerability. Consider monitoring for suspicious outbound memory access patterns if your environment supports that granularity. Reviewing browser crash logs may identify exploitation attempts, though the vulnerability does not necessarily cause crashes. Log failed patch deployment to identify systems requiring manual intervention.
Why prioritize this
Despite Medium CVSS scoring and absence from the KEV catalog, this vulnerability warrants timely but not emergency prioritization. The network attack vector and user-interaction requirement make it broadly exploitable, but the confidentiality-only impact means it poses less risk than vulnerabilities affecting integrity or availability. Organizations with heavy browser-based workflows handling sensitive data should prioritize patching within 30 days. Those running Chrome in restricted environments (no external web browsing) or on isolated systems can afford longer timelines. Patch coverage should still be comprehensive to prevent selective targeting.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) reflects four key factors: (1) network attack vector (AV:N) captures broad exploitability without requiring physical or local access; (2) low attack complexity (AC:L) indicates the exploit does not require specialized conditions; (3) no privileges required (PR:N) and user interaction required (UI:R) create a realistic but achievable attack path; (4) high confidentiality impact (C:H) is offset by no integrity (I:N) or availability (A:N) impact. This score appropriately positions the vulnerability as moderately severe—more critical than low-impact bugs but less urgent than code execution or privilege escalation issues.
Frequently asked questions
Can this vulnerability be exploited without a user clicking on a link or visiting a site?
No. Exploitation requires a user to actively visit a malicious or compromised webpage in Chrome. The vulnerability cannot be triggered remotely through email, drive-by downloads, or without user navigation. This requirement meaningfully raises the bar for attack success compared to wormable vulnerabilities.
Will updating Chrome affect my bookmarks, passwords, or extensions?
No. Updating Chrome preserves all stored data, bookmarks, passwords, and extensions. The patch is a point release that focuses on security fixes and should integrate seamlessly into your existing profile. Always verify you are signed into your Google account to ensure synchronization across devices if applicable.
Does this vulnerability affect Chrome on mobile devices?
Yes, Chrome on Android and iOS is affected by the same integer overflow flaw. Update Chrome through your respective app store (Google Play Store or Apple App Store) to receive the patched version. Prioritize mobile device updates if your organization uses mobile Chrome for sensitive tasks.
If I cannot update Chrome immediately, what should I do?
If immediate patching is impossible, limit visits to untrusted websites and avoid clicking suspicious links. Disable JavaScript in Chrome settings (though this reduces functionality) as an interim measure. Consider using an alternative browser temporarily for sensitive operations. However, patching within 30 days is strongly recommended to close the exposure window.
This analysis is provided for informational and defensive purposes only. SEC.co makes no warranties regarding the completeness or accuracy of this content and does not assume liability for its use. Readers should independently verify all patch versions, compatibility statements, and vendor advisories with official sources before deployment. Patch timing and availability may vary by geography and organization type. This vulnerability has not been confirmed as actively exploited in the wild at publication; threat landscape conditions may change. Organizations should complement this guidance with their own risk assessment, endpoint capabilities, and business continuity requirements. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11006MEDIUMChrome Out-of-Bounds Read in Dawn Graphics API—Urgent Patch Required
- CVE-2026-11075MEDIUMOut-of-Bounds Read in Chrome V8 Engine – Memory Disclosure Vulnerability
- CVE-2026-11090MEDIUMChrome ANGLE Memory Leak Enables Cross-Origin Data Theft
- CVE-2026-11096MEDIUMChrome WebRTC Out-of-Bounds Read
- CVE-2026-11183MEDIUMChrome GWP-ASan Memory Disclosure – Patch Guidance
- CVE-2026-9882MEDIUMChrome ANGLE Integer Overflow Allows Cross-Origin Data Leakage