Serious security vulnerabilities have been discovered in Google Chrome, one of the world’s most widely used web browsers, putting millions of users at potential risk. Google has released Chrome version 147 to address multiple high-risk flaws, including two critical vulnerabilities that could allow cyber attackers to execute arbitrary code on a user’s system and potentially take full control of the device.
Two High-Risk Bugs Enable Arbitrary Code Execution
The two most severe vulnerabilities have been identified as CVE-2026-5858 and CVE-2026-5859. Both have been assigned a “Critical” severity rating, with bug bounty rewards of up to $43,000 (approximately ₹35 lakh) each. These flaws exist within Chrome’s Web Machine Learning (WebML) API, a feature designed to accelerate machine learning processes directly within the browser.
According to security researchers, CVE-2026-5858 is a heap buffer overflow vulnerability, while CVE-2026-5859 involves an integer overflow. Exploiting these flaws requires attackers to craft a specially designed HTML page. Once a user visits such a page, it can trigger memory corruption within the browser, allowing malicious code to be executed on the system.
Technically, the issue arises when WebML fails to properly validate memory boundaries while processing malformed or manipulated data. This allows attackers to write data beyond allocated memory buffers—a well-known precursor to code execution attacks. Such vulnerabilities are particularly dangerous because they can be used as entry points for more advanced exploitation.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
How Attackers Can Exploit These Flaws
In addition to the two critical flaws, Google has also patched 14 high-severity vulnerabilities affecting various browser components, including WebRTC, the V8 JavaScript engine, WebAudio, Media, and the ANGLE graphics layer. Notably, “use-after-free” and “type confusion” vulnerabilities in the V8 engine are considered highly dangerous, as they can potentially be leveraged to escape Chrome’s sandbox security environment when combined with other exploits.
The update also addresses several medium- and low-severity issues, including UI spoofing, policy bypasses, data leakage risks, and insufficient input validation. While these vulnerabilities may not be critical on their own, they can be chained together with more severe flaws to execute complex cyberattacks.
Experts Warn of Growing Cybersecurity Risks
Cybersecurity experts warn that such vulnerabilities highlight the increasing complexity of modern browsers, where even minor coding flaws can lead to major security risks. Renowned cyber crime expert and former IPS officer Prof. Triveni Singh stated, “Cyberattacks today are highly sophisticated. Even a simple web page can be used as a weapon to compromise a user’s system. Timely software updates remain the most effective line of defense.”
He further explained that attackers often use “exploit chains,” where one vulnerability is used to gain initial access and another to escalate privileges and take full control of the system.
Users Urged to Update Chrome Immediately
The vulnerabilities affect older versions of Chrome across Linux, Windows, and Mac platforms. Users running versions prior to 147.0.7727.55/56 are strongly advised to update immediately. Updates can be installed by navigating to “Settings → Help → About Google Chrome” in the browser.
Google also noted that advanced security testing tools such as AddressSanitizer, MemorySanitizer, and fuzzing frameworks played a crucial role in identifying these vulnerabilities before they could be widely exploited in the wild.
