Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code
Key Takeaways Google has rolled out Chrome 147, patching 20 vulnerabilities, including two critical arbitrary code execution flaws. The critical vulnerabilities, CVE-2026-5858 and CVE-2026-5859, are...
Key Takeaways
- Google has rolled out Chrome 147, patching 20 vulnerabilities, including two critical arbitrary code execution flaws.
- The critical vulnerabilities, CVE-2026-5858 and CVE-2026-5859, are heap buffer overflow and integer overflow issues in the WebML API.
- Exploitation could allow remote attackers to execute arbitrary code by crafting a malicious HTML page.
- Users on Windows, Mac, and Linux are urged to update their Chrome browser to version 147.0.7727.55 or later immediately.
Google has issued a vital update for its Chrome browser, version 147, for Windows, Mac, and Linux platforms. This release is crucial, as it resolves numerous security weaknesses, most notably two critical vulnerabilities that could enable remote attackers to execute arbitrary code on affected systems.
Table Of Content
These critical flaws, identified as CVE-2026-5858 and CVE-2026-5859, each carried a substantial bug bounty reward of $43,000, underscoring their severity and potential impact.
Critical WebML Vulnerabilities Detailed
CVE-2026-5858 is categorized as a heap buffer overflow within Chrome’s Web Machine Learning (WebML) API implementation. This vulnerability was brought to Google’s attention by researcher c6eed09fc8b174b0f3eebedcceb1e792 on March 17, 2026.
Following closely, CVE-2026-5859, an integer overflow also found in WebML, was reported anonymously on March 19, 2026. Both vulnerabilities pose a significant risk: they can be triggered by a specially crafted HTML page, potentially allowing remote attackers to corrupt heap memory and achieve arbitrary code execution within the browser process.
The WebML API is designed to accelerate machine learning inference directly within the browser environment. The vulnerabilities stem from the API’s failure to adequately validate memory boundaries when processing malformed tensor data or executing ML model operations. This oversight allows attackers to write data beyond the allocated buffer space, a common technique used in exploits to achieve code execution.
High-Severity Vulnerabilities Patched
In addition to the two critical bugs, the Chrome 147 update addresses 14 high-severity CVEs across various browser components. These include:
- CVE-2026-5860 – A use-after-free vulnerability in WebRTC (awarded an $11,000 bounty).
- CVE-2026-5861 – A use-after-free flaw in the V8 JavaScript engine (receiving a $3,000 bounty).
- CVE-2026-5862 & CVE-2026-5863 – Inappropriate implementation issues within V8, discovered through Google’s internal security audits.
- CVE-2026-5864 – A heap buffer overflow in WebAudio, reported by Syn4pse.
- CVE-2026-5865 – A type confusion vulnerability in V8, reported by Project WhatForLunch.
- CVE-2026-5866 – A use-after-free vulnerability affecting the Media component.
- CVE-2026-5867 & CVE-2026-5869 – Additional heap buffer overflows identified in WebML.
- CVE-2026-5868 – A heap buffer overflow in the ANGLE graphics layer.
- CVE-2026-5870 & CVE-2026-5871 – An integer overflow in Skia and a type confusion in V8, respectively.
- CVE-2026-5872 & CVE-2026-5873 – A use-after-free in Blink and an out-of-bounds read/write in V8.
Use-after-free and type confusion vulnerabilities, particularly those impacting the V8 JavaScript engine, are especially concerning. Given V8’s privileged execution environment, these flaws can serve as potent vectors for sandbox escapes when combined with other renderer exploits.
The update also remediates a range of medium and low-severity vulnerabilities. These span various subsystems and include policy bypasses in Blink, LocalNetworkAccess, Progressive Web Apps (PWAs), and ServiceWorkers. Additionally, issues such as incorrect security UI elements in fullscreen mode, the omnibox, and general browser UI, a cryptographic flaw in PDFium (CVE-2026-5889), a race condition in WebCodecs, and insufficient input validation in Downloads, WebML, and ANGLE have been addressed.
While these lower-severity bugs may not immediately lead to arbitrary code execution, they can be leveraged by attackers to spoof trusted UI, leak sensitive user data, or bypass content security policies, thereby enhancing more complex exploit chains.
Affected Versions and Recommended Action
This critical update targets vulnerabilities present in Chrome versions prior to 147.0.7727.55 for Linux, and 147.0.7727.55/56 for Windows and Mac users. Google’s robust fuzzing infrastructure, including AddressSanitizer, MemorySanitizer, libFuzzer, and AFL, played a key role in identifying many of these issues before they could be actively exploited.
What You Should Do
- Update Immediately: Users of Google Chrome on Windows, Mac, and Linux should update their browser to version 147.0.7727.55 or later without delay.
- Verify Version: To update, navigate to the Chrome Menu (three vertical dots) > Help > About Google Chrome. The browser will automatically check for and apply updates.
- Restart Browser: Ensure you restart your browser after the update to apply the patches effectively.
- Stay Vigilant: Always be cautious about clicking on suspicious links or visiting untrusted websites, as these vulnerabilities can be triggered via specially crafted web pages.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.