Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code

Google has released Chrome 147 to the stable channel for Windows, Mac, and Linux, patching a sweeping set of security vulnerabilities — including two critical-severity flaws that could allow remote attackers to execute arbitrary code on targeted systems.

The most severe vulnerabilities in this release are CVE-2026-5858 and CVE-2026-5859, both carrying a Critical severity rating and commanding a $43,000 bug bounty reward each.

CVE-2026-5858 is a heap buffer overflow in WebML Chrome’s implementation of the Web Machine Learning API reported by researcher c6eed09fc8b174b0f3eebedcceb1e792 on March 17, 2026.

CVE-2026-5859 is an integer overflow in WebML, reported anonymously on March 19, 2026. Both vulnerabilities can be triggered via a specially crafted HTML page, enabling remote attackers to corrupt heap memory and potentially achieve arbitrary code execution within the browser process.

WebML is designed to accelerate machine learning inference directly inside the browser. When processing malformed tensor data or performing ML model operations, the implementation fails to properly validate memory boundaries, allowing attackers to write beyond allocated buffers, a classic precursor to code-execution exploits.

High-Severity Vulnerabilities Patched

Beyond the two critical bugs, this update addresses 14 High-severity CVEs spanning multiple browser subsystems:

• CVE-2026-5860 – Use-after-free in WebRTC ($11,000 bounty)
• CVE-2026-5861 – Use-after-free in V8 JavaScript engine ($3,000 bounty)
• CVE-2026-5862 & CVE-2026-5863 – Inappropriate implementation in V8, reported by Google internally
• CVE-2026-5864 – Heap buffer overflow in WebAudio, reported by Syn4pse
• CVE-2026-5865 – Type Confusion in V8, reported by Project WhatForLunch
• CVE-2026-5866 – Use-after-free in Media
• CVE-2026-5867 & CVE-2026-5869 – Heap buffer overflows in WebML
• CVE-2026-5868 – Heap buffer overflow in ANGLE graphics layer
• CVE-2026-5870 & CVE-2026-5871 – Integer overflow in Skia and Type Confusion in V8
• CVE-2026-5872 & CVE-2026-5873 – Use-after-free in Blink and out-of-bounds read/write in V8

Use-after-free and type confusion bugs in V8 are particularly dangerous, as V8’s privileged execution environment makes them viable pathways for sandbox escape when chained with renderer exploits.

The release also resolves Medium-severity and Low-severity vulnerabilities covering a wide range of subsystems, including policy bypasses in Blink, LocalNetworkAccess, PWAs, and ServiceWorkers; incorrect security UI in fullscreen, omnibox, and browser UI; a cryptographic flaw in PDFium (CVE-2026-5889); a race condition in WebCodecs; and insufficient input validation in Downloads, WebML, and ANGLE.

While lower in urgency, these bugs can enable attackers to spoof trusted UI elements, leak sensitive navigation data, or bypass content security policies — complementing more severe exploit chains.

Affected Versions

This update addresses vulnerabilities in Chrome versions prior to 147.0.7727.55 for Linux and 147.0.7727.55/56 for Windows and Mac. Users should update immediately by navigating to Chrome Menu → Help → About Google Chrome.

Google’s fuzzing infrastructure, including AddressSanitizer, MemorySanitizer, libFuzzer, and AFL, was instrumental in detecting many of these bugs before they could be weaponized in the wild.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code appeared first on Cyber Security News.