Google has unveiled the stable release of Chrome 147, which addresses 60 security vulnerabilities, including two critical ones. These critical issues pertain to the WebML component, a tool for running machine learning models within the browser.
Critical Security Flaws Addressed
The two critical vulnerabilities identified in Chrome’s WebML component have been classified as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859). These were reported by anonymous researchers who each received a $43,000 reward for their discoveries. The significance of these bugs suggests potential risks such as sandbox escapes and remote code execution.
High Severity Vulnerabilities
Besides the critical flaws, the update also rectifies 14 high-severity vulnerabilities. These affect various Chrome components, including WebRTC, V8, and WebAudio. Google internally discovered many of these issues, while others were identified by external researchers. Among these, two vulnerabilities were rewarded with bug bounties: $11,000 for CVE-2026-5860 and $3,000 for CVE-2026-5861.
Medium and Low Severity Issues
The remaining vulnerabilities are classified as medium and low severity. Notably, a medium-severity issue, identified as CVE-2026-5874, involves a use-after-free error in PrivateAI and earned a $11,000 reward. Although these vulnerabilities are less severe, their resolution is crucial for maintaining browser security.
In a previous update in late March, Google addressed 21 vulnerabilities in Chrome, including a zero-day exploited in attacks. As part of ongoing security improvements, Google also introduced new session cookie protections to mitigate the risk of account compromise through stolen authentication cookies.
While there is no evidence of these vulnerabilities being exploited in the wild, the timely patching highlights Google’s commitment to browser security. The release of Chrome 147 underscores the importance of staying updated with the latest software versions to protect against potential threats.
