Google has officially rolled out Chrome 147 to the stable channel for Windows, Mac, and Linux, delivering one of the most significant security patch batches in recent memory, patching two critical vulnerabilities and more than a dozen high-severity flaws that could expose billions of users to remote code execution and memory corruption attacks.
Released on April 7, 2026, Chrome 147.0.7727.55 (Linux) and 147.0.7727.55/56 (Windows/Mac) is currently rolling out to users over the coming days and weeks.
Two Critical Flaws at the Core
At the heart of this security release are twin critical-severity vulnerabilities residing in Chrome’s WebML (Web Machine Learning) component, the API responsible for hardware-accelerated machine learning operations inside the browser.
CVE-2026-5858 is a heap buffer overflow in WebML, reported on March 17, 2026. The flaw allows a remote attacker to execute arbitrary code via a specially crafted HTML page. Google awarded a $43,000 bug bounty for its discovery reflecting the severity of the impact.
CVE-2026-5859 is an integer overflow in WebML, reported anonymously on March 19, 2026, and rewarded with a $43,000 bounty.
Both vulnerabilities can be triggered simply by luring a user to an attacker-controlled webpage, where malicious HTML corrupts heap memory, opening the door to full code execution within the browser process.
High-Severity Bugs Patched
Beyond the critical pair, Chrome 147 addresses 14 high-severity vulnerabilities spanning multiple browser subsystems:
- CVE-2026-5860 & CVE-2026-5861 — Use-after-free flaws in WebRTC and V8 respectively, each rewarded with $11,000 and $3,000 bounties
- CVE-2026-5862 & CVE-2026-5863 — Inappropriate implementation bugs in the V8 JavaScript engine, reported internally by Google
- CVE-2026-5864 — Heap buffer overflow in WebAudio, discovered by researcher Syn4pse
- CVE-2026-5865 & CVE-2026-5871 — Type confusion vulnerabilities in V8, which can allow memory misinterpretation leading to code execution
- CVE-2026-5866 — Use-after-free in the Media subsystem
- CVE-2026-5867 & CVE-2026-5869 — Additional heap buffer overflows in WebML
- CVE-2026-5868 — Heap buffer overflow in ANGLE, Chrome’s graphics abstraction layer
- CVE-2026-5870 — Integer overflow in the Skia graphics library
- CVE-2026-5872 & CVE-2026-5873 — Use-after-free in Blink and out-of-bounds read/write in V8, both flagged internally by Google
Medium and Low Severity Issues
Chrome 147 also closes 20 medium-severity and 24 low-severity vulnerabilities across a broad attack surface.
Notable medium-severity patches include a use-after-free in PrivateAI (CVE-2026-5874), a policy bypass in Blink (CVE-2026-5875), a side-channel information leakage in Navigation (CVE-2026-5876), and a cryptographic flaw in PDFium (CVE-2026-5889).
A race condition in WebCodecs (CVE-2026-5890) and insufficient policy enforcement in Progressive Web Apps (CVE-2026-5892) round out the significant medium-tier concerns.
Low-severity fixes address incorrect security UI presentations across multiple components, including Omnibox, Downloads, Permissions, and History Navigation, as well as policy bypass issues in ServiceWorkers, DevTools, and IFrameSandbox.
| CVE ID | Severity | Component | Vulnerability Type | Bounty | Reported By |
|---|---|---|---|---|---|
| CVE-2026-5858 | Critical | WebML | Heap buffer overflow | $43,000 | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5859 | Critical | WebML | Integer overflow | $43,000 | Anonymous |
| CVE-2026-5860 | High | WebRTC | Use after free | $11,000 | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5861 | High | V8 | Use after free | $3,000 | 5shain |
| CVE-2026-5862 | High | V8 | Inappropriate implementation | TBD | |
| CVE-2026-5863 | High | V8 | Inappropriate implementation | TBD | |
| CVE-2026-5864 | High | WebAudio | Heap buffer overflow | TBD | Syn4pse |
| CVE-2026-5865 | High | V8 | Type Confusion | TBD | Project WhatForLunch (@pjwhatforlunch) |
| CVE-2026-5866 | High | Media | Use after free | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5867 | High | WebML | Heap buffer overflow | TBD | Syn4pse |
| CVE-2026-5868 | High | ANGLE | Heap buffer overflow | TBD | cinzinga |
| CVE-2026-5869 | High | WebML | Heap buffer overflow | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5870 | High | Skia | Integer overflow | TBD | |
| CVE-2026-5871 | High | V8 | Type Confusion | TBD | |
| CVE-2026-5872 | High | Blink | Use after free | TBD | |
| CVE-2026-5873 | High | V8 | Out of bounds read and write | TBD | |
| CVE-2026-5874 | Medium | PrivateAI | Use after free | $11,000 | Krace |
| CVE-2026-5875 | Medium | Blink | Policy bypass | $4,000 | Lyra Rebane (rebane2001) |
| CVE-2026-5876 | Medium | Navigation | Side-channel information leakage | $2,000 | Lyra Rebane (rebane2001) |
| CVE-2026-5877 | Medium | Navigation | Use after free | TBD | Cassidy Kim (@cassidy6564) |
| CVE-2026-5878 | Medium | Blink | Incorrect security UI | TBD | Shaheen Fazim |
| CVE-2026-5879 | Medium | ANGLE | Insufficient validation of untrusted input | TBD | parkminchan / SSD Labs Korea |
| CVE-2026-5880 | Medium | Browser UI | Incorrect security UI | TBD | Anonymous |
| CVE-2026-5881 | Medium | LocalNetworkAccess | Policy bypass | TBD | asnine |
| CVE-2026-5882 | Medium | Fullscreen | Incorrect security UI | TBD | Anonymous |
| CVE-2026-5883 | Medium | Media | Use after free | TBD | sherkito |
| CVE-2026-5884 | Medium | Media | Insufficient validation of untrusted input | TBD | xmzyshypnc |
| CVE-2026-5885 | Medium | WebML | Insufficient validation of untrusted input | TBD | Bryan Bernhart |
| CVE-2026-5886 | Medium | WebAudio | Out of bounds read | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5887 | Medium | Downloads | Insufficient validation of untrusted input | TBD | daffainfo |
| CVE-2026-5888 | Medium | WebCodecs | Uninitialized Use | TBD | Octane Security Team |
| CVE-2026-5889 | Medium | PDFium | Cryptographic Flaw | TBD | mlafon |
| CVE-2026-5890 | Medium | WebCodecs | Race condition | TBD | Casper Woudenberg |
| CVE-2026-5891 | Medium | Browser UI | Insufficient policy enforcement | TBD | Tianyi Hu |
| CVE-2026-5892 | Medium | PWAs | Insufficient policy enforcement | TBD | Tianyi Hu |
| CVE-2026-5893 | Medium | V8 | Race condition | TBD | QYmag1c |
| CVE-2026-5894 | Low | Inappropriate implementation | $1,000 | Povcfe / Tencent Security Xuanwu Lab | |
| CVE-2026-5895 | Low | Omnibox | Incorrect security UI | TBD | Renwa Hiwa @RenwaX23 |
| CVE-2026-5896 | Low | Audio | Policy bypass | TBD | Luan Herrera (@lbherrera_) |
| CVE-2026-5897 | Low | Downloads | Incorrect security UI | TBD | Farras Givari |
| CVE-2026-5898 | Low | Omnibox | Incorrect security UI | TBD | saidinahikam032 |
| CVE-2026-5899 | Low | History Navigation | Incorrect security UI | TBD | Islam Rzayev |
| CVE-2026-5900 | Low | Downloads | Policy bypass | TBD | Luan Herrera (@lbherrera_) |
| CVE-2026-5901 | Low | DevTools | Policy bypass | TBD | Povcfe / Tencent Security Xuanwu Lab |
| CVE-2026-5902 | Low | Media | Race condition | TBD | Luke Francis |
| CVE-2026-5903 | Low | IFrameSandbox | Policy bypass | TBD | @Ciarands |
| CVE-2026-5904 | Low | V8 | Use after free | TBD | Zhenpeng (Leo) Lin / depthfirst |
| CVE-2026-5905 | Low | Permissions | Incorrect security UI | TBD | daffainfo |
| CVE-2026-5906 | Low | Omnibox | Incorrect security UI | TBD | mohamedhesham9173 |
| CVE-2026-5907 | Low | Media | Insufficient data validation | TBD | Luke Francis |
| CVE-2026-5908 | Low | Media | Integer overflow | TBD | Ameen Basha M K & Mohammed Yasar B |
| CVE-2026-5909 | Low | Media | Integer overflow | TBD | Mohammed Yasar B & Ameen Basha M K |
| CVE-2026-5910 | Low | Media | Integer overflow | TBD | Ameen Basha M K & Mohammed Yasar B |
| CVE-2026-5911 | Low | ServiceWorkers | Policy bypass | TBD | lebr0nli / NYCU Security Lab |
| CVE-2026-5912 | Low | WebRTC | Integer overflow | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5913 | Low | Blink | Out of bounds read | TBD | Vitaly Simonovich |
| CVE-2026-5914 | Low | CSS | Type Confusion | TBD | Syn4pse |
| CVE-2026-5915 | Low | WebML | Insufficient validation of untrusted input | TBD | ningxin.hu@intel.com |
| CVE-2026-5918 | Low | Navigation | Inappropriate implementation | TBD | |
| CVE-2026-5919 | Low | WebSockets | Insufficient validation of untrusted input | TBD | Richard Belisle |
According to Google Advisory, users can force an immediate update by navigating to Chrome Menu → Help → About Google Chrome, which will trigger a check for the latest version. A browser restart is required to fully apply the patch.
Organizations running enterprise deployments should prioritize pushing version 147.0.7727.55/56 across their fleets without delay.
No Comment! Be the first one.