Critical Chrome Flaws Let Attackers Execute Arbitrary Code
Google has released an urgent security update for its Chrome browser, resolving multiple dangerous vulnerabilities.
The Chrome team promoted version 147 to the stable channel for Windows, Mac, and Linux users on April 7, 2026.
This major release patches flaws that could allow attackers to execute arbitrary code and take full control of affected systems. The update is currently rolling out to all users globally over the coming days and weeks.
The most severe threats in this update are two critical vulnerabilities located in the WebML component. Tracked as CVE-2026-5858 and CVE-2026-5859, these flaws involve heap buffer and integer overflows.
Because of the high risk they pose, Google awarded massive $43,000 bug bounties to the security researchers who discovered them.
These critical bugs can be exploited simply by tricking a user into visiting a specially crafted webpage, making immediate patching absolutely essential.
Beyond the critical flaws, Chrome 147 addresses numerous high-severity bugs spread across several key browser components.
Security researchers found serious issues like use-after-free errors, type confusion, and out-of-bounds read and write flaws in the V8 JavaScript engine, WebRTC, Media, Blink, and Skia.
If exploited, these vulnerabilities could cause the browser to crash or allow malicious actors to compromise the underlying system.
Google paid tens of thousands of dollars in rewards to the ethical hackers who reported these issues to prevent them from falling into the wrong hands.
To protect users, Google will keep the technical details and exploit methods for these vulnerabilities strictly restricted.
This coordinated disclosure policy guarantees that the majority of the public has enough time to install the security patch before cybercriminals can reverse-engineer the fixes.
It also protects other software projects that depend on the same vulnerable third-party libraries, ensuring that the wider tech ecosystem remains secure while patches are developed and deployed.
Due to the severe nature of the WebML flaws, individuals and enterprise administrators are strongly advised to update their browsers immediately.
You can force the update manually by opening the Chrome menu, navigating to Help, and selecting About Google Chrome.
The browser will automatically download version 147.0.7727.55 for Linux or 147.0.7727.55/56 for Windows and Mac, securing your device against potential cyberattacks.
Chrome 147 Security Fixes
| CVE ID | Severity | Component | Vulnerability Type |
|---|---|---|---|
| CVE-2026-5858 | Critical | WebML | Heap buffer overflow |
| CVE-2026-5859 | Critical | WebML | Integer overflow |
| CVE-2026-5860 | High | WebRTC | Use after free |
| CVE-2026-5861 | High | V8 | Use after free |
| CVE-2026-5862 | High | V8 | Inappropriate implementation |
| CVE-2026-5863 | High | V8 | Inappropriate implementation |
| CVE-2026-5864 | High | WebAudio | Heap buffer overflow |
| CVE-2026-5865 | High | V8 | Type Confusion |
| CVE-2026-5866 | High | Media | Use after free |
| CVE-2026-5867 | High | WebML | Heap buffer overflow |
| CVE-2026-5868 | High | ANGLE | Heap buffer overflow |
| CVE-2026-5869 | High | WebML | Heap buffer overflow |
| CVE-2026-5870 | High | Skia | Integer overflow |
| CVE-2026-5871 | High | V8 | Type Confusion |
| CVE-2026-5872 | High | Blink | Use after free |
| CVE-2026-5873 | High | V8 | Out of bounds read and write |
| CVE-2026-5874 | Medium | PrivateAI | Use after free |
| CVE-2026-5875 | Medium | Blink | Policy bypass |
| CVE-2026-5876 | Medium | Navigation | Side-channel information leakage |
| CVE-2026-5877 | Medium | Navigation | Use after free |
| CVE-2026-5878 | Medium | Blink | Incorrect security UI |
| CVE-2026-5879 | Medium | ANGLE | Insufficient validation of untrusted input |
| CVE-2026-5880 | Medium | browser UI | Incorrect security UI |
| CVE-2026-5881 | Medium | LocalNetworkAccess | Policy bypass |
| CVE-2026-5882 | Medium | Fullscreen | Incorrect security UI |
| CVE-2026-5883 | Medium | Media | Use after free |
| CVE-2026-5884 | Medium | Media | Insufficient validation of untrusted input |
| CVE-2026-5885 | Medium | WebML | Insufficient validation of untrusted input |
| CVE-2026-5886 | Medium | WebAudio | Out of bounds read |
| CVE-2026-5887 | Medium | Downloads | Insufficient validation of untrusted input |
| CVE-2026-5888 | Medium | WebCodecs | Uninitialized Use |
| CVE-2026-5889 | Medium | PDFium | Cryptographic Flaw |
| CVE-2026-5890 | Medium | WebCodecs | Race |
| CVE-2026-5891 | Medium | browser UI | Insufficient policy enforcement |
| CVE-2026-5892 | Medium | PWAs | Insufficient policy enforcement |
| CVE-2026-5893 | Medium | V8 | Race |
| CVE-2026-5894 | Low | Inappropriate implementation | |
| CVE-2026-5895 | Low | Omnibox | Incorrect security UI |
| CVE-2026-5896 | Low | Audio | Policy bypass |
| CVE-2026-5897 | Low | Downloads | Incorrect security UI |
| CVE-2026-5898 | Low | Omnibox | Incorrect security UI |
| CVE-2026-5899 | Low | History Navigation | Incorrect security UI |
| CVE-2026-5900 | Low | Downloads | Policy bypass |
| CVE-2026-5901 | Low | DevTools | Policy bypass |
| CVE-2026-5902 | Low | Media | Race |
| CVE-2026-5903 | Low | IFrameSandbox | Policy bypass |
| CVE-2026-5904 | Low | V8 | Use after free |
| CVE-2026-5905 | Low | Permissions | Incorrect security UI |
| CVE-2026-5906 | Low | Omnibox | Incorrect security UI |
| CVE-2026-5907 | Low | Media | Insufficient data validation |
| CVE-2026-5908 | Low | Media | Integer overflow |
| CVE-2026-5909 | Low | Media | Integer overflow |
| CVE-2026-5910 | Low | Media | Integer overflow |
| CVE-2026-5911 | Low | ServiceWorkers | Policy bypass |
| CVE-2026-5912 | Low | WebRTC | Integer overflow |
| CVE-2026-5913 | Low | Blink | Out of bounds read |
| CVE-2026-5914 | Low | CSS | Type Confusion |
| CVE-2026-5915 | Low | WebML | Insufficient validation of untrusted input |
| CVE-2026-5918 | Low | Navigation | Inappropriate implementation |
| CVE-2026-5919 | Low | WebSockets | Insufficient validation of untrusted input |