Google has rolled out Chrome version 147 to its stable channel across Windows, Mac, and Linux platforms. This release addresses numerous security concerns, including two critical vulnerabilities that could potentially allow remote attackers to execute arbitrary code on affected machines.
Details of Critical Vulnerabilities
The most significant vulnerabilities patched in this update are identified as CVE-2026-5858 and CVE-2026-5859. Both issues are rated as Critical and have each been awarded a bug bounty of $43,000. CVE-2026-5858 involves a heap buffer overflow in Chrome’s Web Machine Learning (WebML) API, discovered by researcher c6eed09fc8b174b0f3eebedcceb1e792 on March 17, 2026. Meanwhile, CVE-2026-5859 is an integer overflow within WebML, reported anonymously on March 19, 2026.
These vulnerabilities can be exploited through a specially crafted HTML page, allowing attackers to corrupt heap memory. Such exploits may lead to arbitrary code execution within the browser environment, posing significant security risks.
Understanding WebML’s Role
The WebML API is designed to enhance machine learning processes directly in the browser, offering accelerated inference capabilities. However, flaws in memory boundary validation during ML model operations or malformed tensor data processing can lead to dangerous situations where attackers write beyond allocated memory buffers.
This failure to enforce proper memory limits is a precursor to potential code execution exploits, highlighting the importance of robust security measures in handling machine learning tasks within the browser.
Additional Vulnerabilities and Security Measures
Beyond the critical issues, Chrome 147 addresses 14 high-severity vulnerabilities affecting various browser components. These include use-after-free vulnerabilities in WebRTC and the V8 JavaScript engine, inappropriate implementations, and heap buffer overflows in WebML and WebAudio.
Moreover, the update patches medium and low-severity vulnerabilities across multiple subsystems. These fixes address issues such as policy bypasses, incorrect security UI, and input validation weaknesses. While these are considered less urgent, they still pose risks like UI spoofing or sensitive data leakage if exploited.
Updating to the Latest Version
To safeguard against these vulnerabilities, users should ensure their Chrome browser is updated to version 147.0.7727.55 on Linux or 147.0.7727.55/56 on Windows and Mac. This can be done by navigating to Chrome Menu → Help → About Google Chrome.
Google’s extensive testing infrastructure, including tools like AddressSanitizer and libFuzzer, played a crucial role in identifying these vulnerabilities before they could be exploited in real-world scenarios.
Stay informed with daily cybersecurity updates by following us on Google News, LinkedIn, and X. For feature stories, feel free to contact us.
