Google Ships Chrome 147 With 60 Security Fixes
Google this week released the first stable build of Chrome 147, delivering patches for a total of 60 vulnerabilities. The update spans a wide range of severity levels, from low-impact issues to two bugs that have been classified as critical — the most serious rating in Chrome's disclosure framework.
Two Critical Flaws Hit the WebML Component
Both critical vulnerabilities reside in Chrome's WebML component, the subsystem responsible for running machine learning models natively inside the browser. The flaws were reported by anonymous researchers and have been catalogued as follows:
- CVE-2026-5858 — A heap buffer overflow in WebML
- CVE-2026-5859 — An integer overflow in WebML
Each of the researchers who reported these bugs was awarded $43,000, bringing the combined payout to $86,000. The size of these bounties, combined with the critical severity designation, strongly implies that the vulnerabilities could be leveraged for sandbox escapes and/or remote code execution — two of the most dangerous exploit primitives in browser security.
Fourteen High-Severity Issues Also Addressed
Beyond the two critical bugs, 14 additional vulnerabilities were assigned a high severity rating. These affect a broad set of Chrome subsystems, including:
- WebRTC
- V8 (Chrome's JavaScript engine)
- WebAudio
- Media
- WebML
- Angle
- Skia
- Blink
Nearly half of these high-severity issues were identified internally by Google's own security teams, while a number of them were submitted by anonymous external researchers. Google publicly disclosed bug bounty rewards for only two of the high-severity findings: $11,000 for CVE-2026-5860 and $3,000 for CVE-2026-5861.
Notable Medium-Severity Bug: Use-After-Free in PrivateAI
Among the medium- and low-severity issues patched in this release, at least one stands out. Google paid an $11,000 bug bounty for CVE-2026-5874, a use-after-free vulnerability in PrivateAI. Use-after-free bugs can sometimes be escalated to achieve code execution depending on memory layout conditions, which may explain the relatively high reward despite the medium classification.
No In-the-Wild Exploitation Reported
Google did not mention any evidence that any of the 60 patched vulnerabilities have been actively exploited in the wild. This is a meaningful distinction — earlier this year, in late March, Google was forced to push an emergency Chrome update to address 21 vulnerabilities, one of which was a zero-day that had already been used in malicious attacks.
New Session Cookie Protections Also Rolling Out
Alongside the Chrome 147 security release, Google announced the broader rollout of new session cookie protections designed to guard against account compromise through stolen authentication cookies. Cookie theft is a well-established technique used by threat actors to bypass multi-factor authentication and hijack active user sessions, making this an important addition to Chrome's defensive capabilities.
Context: Chrome's Recent Security Track Record
The Chrome 147 update is the latest in a series of security-focused releases from Google. The company has been steadily increasing patch frequency and transparency around vulnerability rewards. The scale of payouts in this release — with a single update disbursing at least $86,000 for two critical bugs alone, and additional thousands for high and medium findings — underscores the real-world value that Google places on proactive external vulnerability research.
Users and administrators are encouraged to ensure Chrome installations are updated to version 147 promptly, particularly in enterprise environments where browser-based attacks remain a common initial access vector.
Source: SecurityWeek