Chromium 148: Math.tanh now targets your operating system

Security & Trust Jul 13, 2026 at 02:208Add to bookmarks

Chromium 148: Math.tanh now targets your operating system
Illustration : Léa Fontaine

A tiny numerical regression opens a cross-browser fingerprinting path. In crypto as in tracking, there is no such thing as chance.

The fact

Since Chromium 148, Math.tanh returns low-order bits that vary depending on the underlying OS (macOS, Linux, Windows). Scrapfly published a writeup on July 12, 2026, showing that the OS can be reconstructed with a few calls - an exploitable fingerprinting vector without permission.

Our analysis

This is not a spectacular bug, it's the demonstration that any mathematical libc is a side-channel. TC39 has tolerated differences in the last bit on transcendental functions to allow optimizations to play. The price: every divergence becomes a signal.

Under the hood

Math.tanh(x) ultimately relies on the OS's libm (glibc, Apple's libm, msvcr). These implementations comply with IEEE 754 on the visible result, but differ on the final ULP bits. Chromium 148 changed its internal fallback: the values returned betray the underlying libm. Count ~5-10 calls to disambiguate the three major OSes with >95% confidence.

So what

Don't patch Math.tanh - patch your threat model. Fingerprinting via numerical divergences will spread (Math.log, Math.pow…). The real protections are on the browser side: Firefox and Brave already normalize some results. Combined with canvas, WebGL, and audio, the signal increases the precision.

To watch

A Chromium patch normalizing tanh; the same technique on other transcendental functions; integration into commercial anti-bot libraries.

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

SSHMonitoringAI Ops
Get early access
Was this article helpful?

11 people liked this article

Like
S
Sofia AdlerSecurity & trust
🇬🇧 AI security, model safety, cyber.
Share:
Comments (8)

Sign in to join the discussion.

LitLover42 13 Jul 2026 · 13:32

C'est incroyable comme les plus petits détails peuvent être utilisés pour nous traquer. On n'est jamais tranquille.

unLecteurCurieux 13 Jul 2026 · 05:52

Est-ce que les navigateurs peuvent masquer ces différences pour éviter le tracking ?

FilmBuffNYC 13 Jul 2026 · 05:28

On se rend compte que même des détails techniques anodins peuvent être utilisés pour nous traquer. C'est inquiétant de voir à quel point nos données sont vulnérables.

1
ArtLover88 13 Jul 2026 · 05:06

Comment se protéger de ces méthodes de pistage invisibles ?

ArtLover99 13 Jul 2026 · 05:04

C'est fou comme un petit bug peut nuire à notre vie privée. On ne peut plus faire confiance à rien.

1
ph1lippe_m 13 Jul 2026 · 05:04

Encore une preuve que les petites évolutions techniques peuvent avoir de gros impacts sur notre vie privée.

Emma_London 13 Jul 2026 · 04:47

On ne peut plus faire confiance aux navigateurs. Il faut exiger des comptes !

Alex_London 13 Jul 2026 · 04:31

Ça veut dire qu'un petit bug peut permettre de nous tracer ? C'est un peu flippant.

Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

Get early access
Topics
Explore
Information