Chrome 147 fixes two critical bugs that could let attackers run code on your PC
5 min. read 
Published on
Google has released Chrome 147 to the stable channel for Windows, Mac, and Linux with a long list of security fixes, including two critical flaws in WebML that could let a remote attacker trigger memory corruption through a malicious HTML page. The patched versions are 147.0.7727.55 on Linux and 147.0.7727.55/56 on Windows and Mac.
The two critical bugs are CVE-2026-5858, a heap buffer overflow in WebML, and CVE-2026-5859, an integer overflow in WebML. Google’s release notes show that each issue carried a $43,000 reward, which usually signals a serious browser security problem with strong exploit potential.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
For users, the practical takeaway is simple. If you use Chrome on desktop, update now. Google says the stable release is already rolling out, and the patched build closes both critical WebML issues along with a wider group of high-severity flaws across WebRTC, V8, WebAudio, Media, ANGLE, Blink, Skia, and other browser components.
The most important fixes in this update
Google’s official release notes list 16 high-severity issues on top of the two critical bugs. These include a use-after-free flaw in WebRTC, a use-after-free bug in V8, two inappropriate implementation issues in V8, a heap buffer overflow in WebAudio, and a type confusion bug in V8.
The release also fixes more high-severity issues in Media, WebML, ANGLE, Skia, Blink, and V8. Several of these bug classes, especially use-after-free, type confusion, and out-of-bounds memory issues, often matter because attackers can chain them into browser compromise attempts. Google has not said these flaws were exploited in the wild, but it also notes that bug details may remain restricted until most users install the update.
Google’s enterprise release summary for Chrome 147 also shows that this version brings broader platform changes around security and privacy, including local network access restrictions, Device Bound Session Credentials, SafeBrowsing API v5 migration, and more security-focused controls for managed environments.
Key vulnerabilities in Chrome 147
| CVE | Severity | Component | Google’s description |
|---|---|---|---|
| CVE-2026-5858 | Critical | WebML | Heap buffer overflow |
| CVE-2026-5859 | Critical | WebML | Integer overflow |
| CVE-2026-5860 | High | WebRTC | Use after free |
| CVE-2026-5861 | High | V8 | Use after free |
| CVE-2026-5864 | High | WebAudio | Heap buffer overflow |
| CVE-2026-5865 | High | V8 | Type confusion |
The table above reflects Google’s published desktop stable release notes for Chrome 147.
Why WebML bugs matter
Both critical flaws sit in WebML, Chrome’s implementation of browser-based machine learning features. When memory handling fails inside a browser subsystem that processes complex inputs, a malicious page may be able to corrupt memory and push the browser toward a crash or possible code execution. Google’s advisory does not publish full technical exploit details yet, which is standard practice while updates are still rolling out.
That limited disclosure cuts both ways. It protects users during rollout, but it also means defenders should treat the update seriously because researchers already reported concrete memory corruption bugs and Google rated them critical.
This comes just days after another high-profile Chrome security alert in early April involving CVE-2026-5281, an exploited zero-day in Dawn/WebGPU. That earlier case makes fast browser patching even more important this month, especially for organizations that manage large Chrome fleets.
What users and admins should do now
If Chrome has not updated yet, open the browser menu, go to Help and then About Google Chrome. Chrome should download the latest build automatically and prompt you to relaunch once the update is ready. The patched desktop versions are 147.0.7727.55 for Linux and 147.0.7727.55/56 for Windows and Mac.
Admins should also review Chrome 147’s enterprise notes because this release includes feature and policy changes beyond the security fixes. That matters in managed environments where browser version pinning or staged rollouts can leave older builds exposed for longer than expected.
If you rely on Chrome for work, banking, or admin access to sensitive services, this is not a patch to delay. Browser bugs in components like V8, WebRTC, and memory-handling paths often attract rapid interest from attackers once fixes go public. That is an inference based on the types of bugs patched here and standard attacker behavior after browser security releases.
Quick summary
- Chrome 147 patches two critical WebML flaws, CVE-2026-5858 and CVE-2026-5859.
- Google shipped the fixed versions on April 7, 2026 for Windows, Mac, and Linux.
- The update also fixes 16 high-severity bugs across major browser components.
- Users should update to 147.0.7727.55 or 147.0.7727.55/56 immediately.
FAQ
Chrome 147.0.7727.55 on Linux and 147.0.7727.55/56 on Windows and Mac fix the issues Google disclosed in this release.
Google’s desktop stable release notes do not say that CVE-2026-5858 or CVE-2026-5859 were actively exploited. Google does say it is restricting some bug details until more users update.
The most serious bugs are the two critical WebML flaws, one heap buffer overflow and one integer overflow. Google rated both as critical and attached $43,000 rewards to each report.
Open Chrome Menu > Help > About Google Chrome and let the browser check for updates. Relaunch Chrome after it installs the new build. Google’s stable channel release notes confirm the fixed version numbers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages