Critical Chrome Flaws Let Attackers Execute Arbitrary Code

Google has released an urgent security update for its Chrome browser, resolving multiple dangerous vulnerabilities.

The Chrome team promoted version 147 to the stable channel for Windows, Mac, and Linux users on April 7, 2026.

This major release patches flaws that could allow attackers to execute arbitrary code and take full control of affected systems. The update is currently rolling out to all users globally over the coming days and weeks.

The most severe threats in this update are two critical vulnerabilities located in the WebML component. Tracked as CVE-2026-5858 and CVE-2026-5859, these flaws involve heap buffer and integer overflows.

Because of the high risk they pose, Google awarded massive $43,000 bug bounties to the security researchers who discovered them.

These critical bugs can be exploited simply by tricking a user into visiting a specially crafted webpage, making immediate patching absolutely essential.

Beyond the critical flaws, Chrome 147 addresses numerous high-severity bugs spread across several key browser components.

Security researchers found serious issues like use-after-free errors, type confusion, and out-of-bounds read and write flaws in the V8 JavaScript engine, WebRTC, Media, Blink, and Skia.

If exploited, these vulnerabilities could cause the browser to crash or allow malicious actors to compromise the underlying system.

Google paid tens of thousands of dollars in rewards to the ethical hackers who reported these issues to prevent them from falling into the wrong hands.

To protect users, Google will keep the technical details and exploit methods for these vulnerabilities strictly restricted.

This coordinated disclosure policy guarantees that the majority of the public has enough time to install the security patch before cybercriminals can reverse-engineer the fixes.

It also protects other software projects that depend on the same vulnerable third-party libraries, ensuring that the wider tech ecosystem remains secure while patches are developed and deployed.

Due to the severe nature of the WebML flaws, individuals and enterprise administrators are strongly advised to update their browsers immediately.

You can force the update manually by opening the Chrome menu, navigating to Help, and selecting About Google Chrome.

The browser will automatically download version 147.0.7727.55 for Linux or 147.0.7727.55/56 for Windows and Mac, securing your device against potential cyberattacks.

Chrome 147 Security Fixes

CVE ID Severity Component Vulnerability Type
CVE-2026-5858 Critical WebML Heap buffer overflow
CVE-2026-5859 Critical WebML Integer overflow
CVE-2026-5860 High WebRTC Use after free
CVE-2026-5861 High V8 Use after free
CVE-2026-5862 High V8 Inappropriate implementation
CVE-2026-5863 High V8 Inappropriate implementation
CVE-2026-5864 High WebAudio Heap buffer overflow
CVE-2026-5865 High V8 Type Confusion
CVE-2026-5866 High Media Use after free
CVE-2026-5867 High WebML Heap buffer overflow
CVE-2026-5868 High ANGLE Heap buffer overflow
CVE-2026-5869 High WebML Heap buffer overflow
CVE-2026-5870 High Skia Integer overflow
CVE-2026-5871 High V8 Type Confusion
CVE-2026-5872 High Blink Use after free
CVE-2026-5873 High V8 Out of bounds read and write
CVE-2026-5874 Medium PrivateAI Use after free
CVE-2026-5875 Medium Blink Policy bypass
CVE-2026-5876 Medium Navigation Side-channel information leakage
CVE-2026-5877 Medium Navigation Use after free
CVE-2026-5878 Medium Blink Incorrect security UI
CVE-2026-5879 Medium ANGLE Insufficient validation of untrusted input
CVE-2026-5880 Medium browser UI Incorrect security UI
CVE-2026-5881 Medium LocalNetworkAccess Policy bypass
CVE-2026-5882 Medium Fullscreen Incorrect security UI
CVE-2026-5883 Medium Media Use after free
CVE-2026-5884 Medium Media Insufficient validation of untrusted input
CVE-2026-5885 Medium WebML Insufficient validation of untrusted input
CVE-2026-5886 Medium WebAudio Out of bounds read
CVE-2026-5887 Medium Downloads Insufficient validation of untrusted input
CVE-2026-5888 Medium WebCodecs Uninitialized Use
CVE-2026-5889 Medium PDFium Cryptographic Flaw
CVE-2026-5890 Medium WebCodecs Race
CVE-2026-5891 Medium browser UI Insufficient policy enforcement
CVE-2026-5892 Medium PWAs Insufficient policy enforcement
CVE-2026-5893 Medium V8 Race
CVE-2026-5894 Low PDF Inappropriate implementation
CVE-2026-5895 Low Omnibox Incorrect security UI
CVE-2026-5896 Low Audio Policy bypass
CVE-2026-5897 Low Downloads Incorrect security UI
CVE-2026-5898 Low Omnibox Incorrect security UI
CVE-2026-5899 Low History Navigation Incorrect security UI
CVE-2026-5900 Low Downloads Policy bypass
CVE-2026-5901 Low DevTools Policy bypass
CVE-2026-5902 Low Media Race
CVE-2026-5903 Low IFrameSandbox Policy bypass
CVE-2026-5904 Low V8 Use after free
CVE-2026-5905 Low Permissions Incorrect security UI
CVE-2026-5906 Low Omnibox Incorrect security UI
CVE-2026-5907 Low Media Insufficient data validation
CVE-2026-5908 Low Media Integer overflow
CVE-2026-5909 Low Media Integer overflow
CVE-2026-5910 Low Media Integer overflow
CVE-2026-5911 Low ServiceWorkers Policy bypass
CVE-2026-5912 Low WebRTC Integer overflow
CVE-2026-5913 Low Blink Out of bounds read
CVE-2026-5914 Low CSS Type Confusion
CVE-2026-5915 Low WebML Insufficient validation of untrusted input
CVE-2026-5918 Low Navigation Inappropriate implementation
CVE-2026-5919 Low WebSockets Insufficient validation of untrusted input

Related Articles

Back to top button