Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution Flaws (CVE-2026-5858, CVE-2026-5859)

Google Chrome version 147.0.7727.55/56 for Windows and macOS, and 147.0.7727.55 for Linux, was released in April 2026, addressing a total of 60 security vulnerabilities. Among these, two critical flaws in the WebML (Web Machine Learning) component were identified and patched, with a combined bug bounty payout of $86,000. These vulnerabilities, CVE-2026-5858 and CVE-2026-5859, could allow remote code execution if exploited. As of this report, there is no evidence of exploitation in the wild. This advisory provides a comprehensive technical analysis of the vulnerabilities, their exploitation potential, affected product versions, and actionable mitigation guidance for enterprise and technical stakeholders.

The Chrome 147 release is a significant security update, patching a broad spectrum of vulnerabilities across multiple browser components. The most severe issues reside in the WebML subsystem, which is responsible for enabling machine learning capabilities directly within the browser environment. The two critical vulnerabilities are:

CVE-2026-5858 is a heap buffer overflow in WebML. This vulnerability arises from improper bounds checking during the processing of certain WebML operations. Specifically, when a crafted HTML page leverages malformed WebML input, the browser fails to validate buffer boundaries, resulting in a heap buffer overflow condition. This flaw can be exploited by remote attackers to execute arbitrary code within the context of the browser process, potentially leading to full compromise of the affected system. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and was awarded a $43,000 bug bounty. The issue was reported by the researcher identified as c6eed09fc8b174b0f3eebedcceb1e792.

CVE-2026-5859 is an integer overflow in WebML. This vulnerability is triggered when the browser processes WebML operations with manipulated input sizes or parameters, causing an integer value to wrap around and bypass memory allocation checks. The result is heap corruption, which can be leveraged by an attacker to achieve remote code execution. Like the previous flaw, exploitation requires the user to visit a malicious HTML page. This vulnerability was also awarded a $43,000 bug bounty and was reported anonymously.

In addition to these critical flaws, Chrome 147 addresses 14 high-severity vulnerabilities, including use-after-free conditions in WebRTC, V8, Media, and Blink; heap buffer overflows in WebAudio, ANGLE, and WebML; type confusion in V8; and integer overflow in Skia. These vulnerabilities collectively expand the attack surface, increasing the risk of exploitation through various browser subsystems.

The technical impact of these vulnerabilities is significant. Both critical flaws enable remote code execution, which is among the most severe classes of browser vulnerabilities. Successful exploitation could allow an attacker to bypass browser sandboxing, escalate privileges, and potentially pivot to other systems within the network. The attack vector is remote, requiring only that a user visit a specially crafted web page.

The WebML component, being relatively new and complex, introduces a novel attack surface for adversaries. Machine learning operations often involve large, complex data structures and intensive memory operations, making them susceptible to memory safety issues such as buffer overflows and integer overflows. The rapid adoption of in-browser machine learning further amplifies the risk, as more web applications begin to leverage these capabilities.

As of the publication of this report, there is no evidence that either CVE-2026-5858 or CVE-2026-5859 has been exploited in the wild. Both Google and independent security news outlets, including PCWorld and SecurityWeek, confirm that no active exploitation has been observed. The Chromium Issue Tracker entries for these vulnerabilities remain restricted, and no public proof-of-concept (PoC) code has been released.

Despite the absence of exploitation, the critical nature of these vulnerabilities and the high bug bounty payouts indicate a substantial risk. Historically, browser remote code execution vulnerabilities have been rapidly weaponized by threat actors once technical details become available. The window between disclosure and exploitation can be narrow, especially for high-value targets.

At this time, no advanced persistent threat (APT) groups have been publicly linked to the exploitation of CVE-2026-5858 or CVE-2026-5859. According to all available threat intelligence sources, including MITRE ATT&CK and vendor advisories, there is no attribution or evidence of targeted campaigns leveraging these specific flaws.

However, it is important to note that browser remote code execution vulnerabilities are highly prized by APT groups and cybercriminal organizations. Groups such as APT28, APT37, and FIN7 have historically targeted browser vulnerabilities in their campaigns, often using drive-by compromise and client-side exploitation techniques. The attack techniques most relevant to these vulnerabilities include T1203 (Exploitation for Client Execution) and T1189 (Drive-by Compromise) as defined by the MITRE ATT&CK framework.

Given the criticality and potential impact, it is plausible that APT groups will attempt to reverse-engineer the patches and develop exploits in the near future. Organizations operating in high-risk sectors should remain vigilant and prioritize patching.

The vulnerabilities affect all versions of Google Chrome prior to 147.0.7727.55. The patched versions are:

Windows: Chrome 147.0.7727.55 and Chrome 147.0.7727.56 macOS: Chrome 147.0.7727.55 and Chrome 147.0.7727.56 Linux: Chrome 147.0.7727.55

Any deployment running a version of Chrome earlier than these releases is vulnerable to the critical flaws described in this advisory. The vulnerabilities are present in both enterprise and consumer builds, and the risk profile is identical across supported operating systems.

The primary mitigation is to update Google Chrome to version 147.0.7727.55/56 or later on all platforms. Organizations should ensure that all endpoints, including managed and unmanaged devices, are running the latest version of Chrome. Automated patch management solutions should be leveraged to expedite deployment.

In addition to patching, organizations should monitor for suspicious browser behavior, such as unexpected crashes or anomalous process launches, which may indicate exploitation attempts. User awareness training should emphasize the risks associated with visiting unknown or suspicious websites, as the attack vector for these vulnerabilities is web-based.

For environments where immediate patching is not feasible, consider restricting access to untrusted web content and disabling JavaScript execution for unknown domains. However, these are temporary measures and do not provide comprehensive protection against exploitation.

Security teams should also review browser extension policies, as malicious or compromised extensions can increase the attack surface and facilitate exploitation. Regularly audit installed extensions and enforce least-privilege principles.

Chrome Releases Blog (Official Advisory): https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html NVD CVE-2026-5858: https://nvd.nist.gov/vuln/detail/CVE-2026-5858 NVD CVE-2026-5859: https://nvd.nist.gov/vuln/detail/CVE-2026-5859 PCWorld Article: https://www.pcworld.com/article/3110607/chrome-147-patch-fixes-60-security-flaws-including-2-critical-ones.html SecurityWeek Article: https://www.securityweek.com/chrome-147-patches-60-vulnerabilities-including-two-critical-flaws-worth-86000/ Chromium Issue Tracker 493319454 (CVE-2026-5858): https://issues.chromium.org/issues/493319454 Chromium Issue Tracker 494158331 (CVE-2026-5859): https://issues.chromium.org/issues/494158331

At Rescana, we understand the critical importance of timely vulnerability management and third-party risk mitigation. Our advanced TPRM platform empowers organizations to continuously monitor, assess, and manage their cyber risk exposure across the entire supply chain. While this advisory focuses on the latest Google Chrome vulnerabilities, our platform is designed to help you stay ahead of emerging threats, streamline compliance, and enhance your overall security posture. If you have any questions about this advisory or require assistance with your vulnerability management program, our team is ready to help at ops@rescana.com.

• Cybersecurity Incident Analysis