Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/CyberSecurity News/Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code
CyberSecurity News

Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code

Key Takeaways Google has rolled out Chrome 147, patching 20 vulnerabilities, including two critical arbitrary code execution flaws. The critical vulnerabilities, CVE-2026-5858 and CVE-2026-5859, are...

Jennifer sherman
Jennifer sherman
April 9, 2026 3 Min Read
30 0

Key Takeaways

  • Google has rolled out Chrome 147, patching 20 vulnerabilities, including two critical arbitrary code execution flaws.
  • The critical vulnerabilities, CVE-2026-5858 and CVE-2026-5859, are heap buffer overflow and integer overflow issues in the WebML API.
  • Exploitation could allow remote attackers to execute arbitrary code by crafting a malicious HTML page.
  • Users on Windows, Mac, and Linux are urged to update their Chrome browser to version 147.0.7727.55 or later immediately.

Google has issued a vital update for its Chrome browser, version 147, for Windows, Mac, and Linux platforms. This release is crucial, as it resolves numerous security weaknesses, most notably two critical vulnerabilities that could enable remote attackers to execute arbitrary code on affected systems.

Table Of Content

  • Key Takeaways
  • Critical WebML Vulnerabilities Detailed
  • High-Severity Vulnerabilities Patched
  • Affected Versions and Recommended Action
  • What You Should Do

These critical flaws, identified as CVE-2026-5858 and CVE-2026-5859, each carried a substantial bug bounty reward of $43,000, underscoring their severity and potential impact.

Critical WebML Vulnerabilities Detailed

CVE-2026-5858 is categorized as a heap buffer overflow within Chrome’s Web Machine Learning (WebML) API implementation. This vulnerability was brought to Google’s attention by researcher c6eed09fc8b174b0f3eebedcceb1e792 on March 17, 2026.

Following closely, CVE-2026-5859, an integer overflow also found in WebML, was reported anonymously on March 19, 2026. Both vulnerabilities pose a significant risk: they can be triggered by a specially crafted HTML page, potentially allowing remote attackers to corrupt heap memory and achieve arbitrary code execution within the browser process.

The WebML API is designed to accelerate machine learning inference directly within the browser environment. The vulnerabilities stem from the API’s failure to adequately validate memory boundaries when processing malformed tensor data or executing ML model operations. This oversight allows attackers to write data beyond the allocated buffer space, a common technique used in exploits to achieve code execution.

High-Severity Vulnerabilities Patched

In addition to the two critical bugs, the Chrome 147 update addresses 14 high-severity CVEs across various browser components. These include:

  • CVE-2026-5860 – A use-after-free vulnerability in WebRTC (awarded an $11,000 bounty).
  • CVE-2026-5861 – A use-after-free flaw in the V8 JavaScript engine (receiving a $3,000 bounty).
  • CVE-2026-5862 & CVE-2026-5863 – Inappropriate implementation issues within V8, discovered through Google’s internal security audits.
  • CVE-2026-5864 – A heap buffer overflow in WebAudio, reported by Syn4pse.
  • CVE-2026-5865 – A type confusion vulnerability in V8, reported by Project WhatForLunch.
  • CVE-2026-5866 – A use-after-free vulnerability affecting the Media component.
  • CVE-2026-5867 & CVE-2026-5869 – Additional heap buffer overflows identified in WebML.
  • CVE-2026-5868 – A heap buffer overflow in the ANGLE graphics layer.
  • CVE-2026-5870 & CVE-2026-5871 – An integer overflow in Skia and a type confusion in V8, respectively.
  • CVE-2026-5872 & CVE-2026-5873 – A use-after-free in Blink and an out-of-bounds read/write in V8.

Use-after-free and type confusion vulnerabilities, particularly those impacting the V8 JavaScript engine, are especially concerning. Given V8’s privileged execution environment, these flaws can serve as potent vectors for sandbox escapes when combined with other renderer exploits.

The update also remediates a range of medium and low-severity vulnerabilities. These span various subsystems and include policy bypasses in Blink, LocalNetworkAccess, Progressive Web Apps (PWAs), and ServiceWorkers. Additionally, issues such as incorrect security UI elements in fullscreen mode, the omnibox, and general browser UI, a cryptographic flaw in PDFium (CVE-2026-5889), a race condition in WebCodecs, and insufficient input validation in Downloads, WebML, and ANGLE have been addressed.

While these lower-severity bugs may not immediately lead to arbitrary code execution, they can be leveraged by attackers to spoof trusted UI, leak sensitive user data, or bypass content security policies, thereby enhancing more complex exploit chains.

Affected Versions and Recommended Action

This critical update targets vulnerabilities present in Chrome versions prior to 147.0.7727.55 for Linux, and 147.0.7727.55/56 for Windows and Mac users. Google’s robust fuzzing infrastructure, including AddressSanitizer, MemorySanitizer, libFuzzer, and AFL, played a key role in identifying many of these issues before they could be actively exploited.

What You Should Do

  • Update Immediately: Users of Google Chrome on Windows, Mac, and Linux should update their browser to version 147.0.7727.55 or later without delay.
  • Verify Version: To update, navigate to the Chrome Menu (three vertical dots) > Help > About Google Chrome. The browser will automatically check for and apply updates.
  • Restart Browser: Ensure you restart your browser after the update to apply the patches effectively.
  • Stay Vigilant: Always be cautious about clicking on suspicious links or visiting untrusted websites, as these vulnerabilities can be triggered via specially crafted web pages.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection

Next Post

Microsoft Suspends Developer Accounts for Open-Source Projects

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us