Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code

Home Chrome Critical Chrome Vulnerabilities Let Attackers to Execute Arbitrary Code Google has released Chrome 147 to the stable channel for Windows, Mac, and Linux, patching a sweeping set of security vulnerabilities — including two critical-severity flaws that could allow remote attackers to execute arbitrary code on targeted systems. The most severe vulnerabilities in this release are CVE-2026-5858 and CVE-2026-5859, both carrying a Critical severity rating and commanding a $43,000 bug bounty reward each. CVE-2026-5858 is a heap buffer overflow in WebML Chrome’s implementation of the Web Machine Learning API reported by researcher c6eed09fc8b174b0f3eebedcceb1e792 on March 17, 2026. CVE-2026-5859 is an integer overflow in WebML, reported anonymously on March 19, 2026. Both vulnerabilities can be triggered via a specially crafted HTML page, enabling remote attackers to corrupt heap memory and potentially achieve arbitrary code execution within the browser process. WebML is designed to accelerate machine learning inference directly inside the browser. When processing malformed tensor data or performing ML model operations, the implementation fails to properly validate memory boundaries, allowing attackers to write beyond allocated buffers, a classic precursor to code-execution exploits. High-Severity Vulnerabilities Patched Beyond the two critical bugs, this update addresses 14 High-severity CVEs spanning multiple browser subsystems: CVE-2026-5860 – Use-after-free in WebRTC ($11,000 bounty) CVE-2026-5861 – Use-after-free in V8 JavaScript engine ($3,000 bounty) CVE-2026-5862 & CVE-2026-5863 – Inappropriate implementation in V8, reported by Google internally CVE-2026-5864 – Heap buffer overflow in WebAudio, reported by Syn4pse CVE-2026-5865 – Type Confusion in V8, reported by Project WhatForLunch CVE-2026-5866 – Use-after-free in Media CVE-2026-5867 & CVE-2026-5869 – Heap buffer overflows in WebML CVE-2026-5868 – Heap buffer overflow in ANGLE graphics layer CVE-2026-5870 & CVE-2026-5871 – Integer overflow in Skia and Type Confusion in V8 CVE-2026-5872 & CVE-2026-5873 – Use-after-free in Blink and out-of-bounds read/write in V8 Use-after-free and type confusion bugs in V8 are particularly dangerous, as V8’s privileged execution environment makes them viable pathways for sandbox escape when chained with renderer exploits. The release also resolves Medium-severity and Low-severity vulnerabilities covering a wide range of subsystems, including policy bypasses in Blink, LocalNetworkAccess, PWAs, and ServiceWorkers; incorrect security UI in fullscreen, omnibox, and browser UI; a cryptographic flaw in PDFium (CVE-2026-5889); a race condition in WebCodecs; and insufficient input validation in Downloads, WebML, and ANGLE. While lower in urgency, these bugs can enable attackers to spoof trusted UI elements, leak sensitive navigation data, or bypass content security policies — complementing more severe exploit chains. Affected Versions This update addresses vulnerabilities in Chrome versions prior to 147.0.7727.55 for Linux and 147.0.7727.55/56 for Windows and Mac. Users should update immediately by navigating to Chrome Menu → Help → About Google Chrome. Google’s fuzzing infrastructure, including AddressSanitizer, MemorySanitizer, libFuzzer, and AFL, was instrumental in detecting many of these bugs before they could be weaponized in the wild. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer Cyber Security News Hackers Abuse Legitimate Meta Business Manager Notifications to Deliver Phishing Emails Cyber Security News Microsoft 365 Network-Level Disruption Affecting Exchange Online, Teams, and Core Suite Services Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026