Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000

Google announced this week the first stable version of Chrome 147, which includes patches for 60 vulnerabilities, including two that have been rated critical. The critical vulnerabilities both impact Chrome’s WebML component, which is designed for running machine learning models directly in the browser. The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859). The reporting researchers each earned $43,000 for their findings. The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution.  Of the remaining vulnerabilities fixed in Chrome, 14 have been assigned a ‘high’ severity rating.  The flaws affect Chrome components such as WebRTC, V8, WebAudio, Media, WebML, Angle, Skia, and Blink. Nearly half of them were found internally by Google, and many have been reported by anonymous researchers. Only for two of them the tech giant has announced a bug bounty: $11,000 for CVE-2026-5860, and $3,000 for CVE-2026-5861.  The remaining security holes have been assigned ‘medium’ and ‘low’ severity ratings, but at least one of the medium-severity issues appears significant. Google has paid out a $11,000 bug bounty for CVE-2026-5874, a use-after-free bug in PrivateAI. There is no mention of any vulnerabilities being exploited in the wild.  In late March, Google released a Chrome update to patch 21 vulnerabilities, including a zero-day exploited in malicious attacks.  Google also announced this week that it has rolled out new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies. Related: Chrome 146 Update Patches High-Severity Vulnerabilities Related: Chrome 146 Update Patches Two Exploited Zero-Days Related: Google Plans Two-Week Release Schedule for Chrome WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Adobe Reader Zero-Day Exploited for Months: Researcher $3.6 Million Stolen in Bitcoin Depot Hack Data Leakage Vulnerability Patched in OpenSSL Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption  US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking Severe StrongBox Vulnerability Patched in Android GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack  White House Seeks to Slash CISA Funding by $707 Million Latest News Orthanc DICOM Vulnerabilities Lead to Crashes, RCE MITRE Releases Fight Fraud Framework Critical Marimo Flaw Exploited Hours After Public Disclosure Google Rolls Out Cookie Theft Protections in Chrome Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users Apple Intelligence AI Guardrails Bypassed in New Attack Can We Trust AI? No – But Eventually We Must Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Black Duck has named Dom Glavach as Chief Information Security Officer. Finite State has named Ann Miller as Vice President of Marketing. Yael Nardi has joined Minimus as Chief Business Officer. More People On The Move Expert Insights The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email