Critical Chrome vulnerabilities patched in Chrome 147 can lead to code execution

Google has released a new Chrome Stable Channel update that fixes 31 security bugs, including five rated Critical. The update brings Chrome to version 147.0.7727.101/102 on Windows and macOS, and 147.0.7727.101 on Linux.

The biggest risk comes from memory-safety flaws. Google’s release notes and downstream security advisories show that the patched bugs include heap buffer overflows and use-after-free issues in components such as ANGLE, Proxy, Skia, Prerender, and XR. Those bug classes can open the door to browser compromise and, in some cases, further code execution if attackers chain them successfully.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Users should update now. Google says the rollout started on April 15, 2026, and the fixed builds are already available through Chrome’s normal update process. Google also says it will limit technical details for some bugs until more users install the patch, which is standard practice for browser security releases.

Five critical flaws lead the patch set

The five Critical flaws listed in the release are CVE-2026-6296, CVE-2026-6297, CVE-2026-6298, CVE-2026-6299, and CVE-2026-6358. The first affects ANGLE, the second Proxy, the third Skia, the fourth Prerender, and the fifth XR. Google’s release notes and multiple security bulletins align on that list.

One of the most notable bugs is CVE-2026-6296, a heap buffer overflow in ANGLE. Red Hat and Tenable both describe it as affecting Chrome before 147.0.7727.101, with Tenable noting that a remote attacker could potentially use a crafted HTML page to trigger a sandbox escape.

What this means for users and admins

These flaws are dangerous because they sit in areas of the browser that process complex web content. Heap overflows and use-after-free bugs often let attackers corrupt memory through a malicious web page, which can lead to crashes, data exposure, or arbitrary code execution if the exploit works reliably enough. This is an inference based on the vulnerability classes and the security severity assigned by Google and NVD-linked entries.

The update does not appear to fix a confirmed in-the-wild zero-day, at least not in the public release notes for this batch. Google’s post focuses on patched vulnerabilities and researcher rewards, but it does not say any of these five Critical bugs were already being exploited before the patch shipped.

That does not lower the urgency much. Chrome is a high-value target, and public fix details usually give attackers a starting point for reverse engineering once patches spread widely. That is one reason Google restricts deeper bug information until enough users update.

Critical bugs fixed in Chrome 147

The table above reflects Google’s Chrome release notes and downstream security advisories summarizing the April 15 desktop update.

How to update Chrome

• Open Chrome.
• Click the three-dot menu in the top-right corner.
• Go to <strong>Help</strong> and then <strong>About Google Chrome</strong>.
• Let Chrome check for updates automatically.
• Click <strong>Relaunch</strong> after the update finishes.

Windows and macOS users should end up on version 147.0.7727.101 or 147.0.7727.102. Linux users should reach version 147.0.7727.101 or later.

FAQ