Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000

Summary

Google released Chrome 147 with patches for 60 vulnerabilities, including two critical heap buffer overflow and integer overflow flaws affecting the WebML component used for running machine learning models in the browser. Anonymous researchers reported the critical issues and received $43,000 bounties each. Additionally, 14 high-severity vulnerabilities were patched across WebRTC, V8, WebAudio, Media, Angle, Skia, and Blink components.

Full text

Google announced this week the first stable version of Chrome 147, which includes patches for 60 vulnerabilities, including two that have been rated critical. The critical vulnerabilities both impact Chrome’s WebML component, which is designed for running machine learning models directly in the browser. The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859). The reporting researchers each earned $43,000 for their findings. The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution. Of the remaining vulnerabilities fixed in Chrome, 14 have been assigned a ‘high’ severity rating. The flaws affect Chrome components such as WebRTC, V8, WebAudio, Media, WebML, Angle, Skia, and Blink. Nearly half of them were found internally by Google, and many have been reported by anonymous researchers.Advertisement. Scroll to continue reading. Only for two of them the tech giant has announced a bug bounty: $11,000 for CVE-2026-5860, and $3,000 for CVE-2026-5861. The remaining security holes have been assigned ‘medium’ and ‘low’ severity ratings, but at least one of the medium-severity issues appears significant. Google has paid out a $11,000 bug bounty for CVE-2026-5874, a use-after-free bug in PrivateAI. There is no mention of any vulnerabilities being exploited in the wild. In late March, Google released a Chrome update to patch 21 vulnerabilities, including a zero-day exploited in malicious attacks. Google also announced this week that it has rolled out new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies. Related: Chrome 146 Update Patches High-Severity Vulnerabilities Related: Chrome 146 Update Patches Two Exploited Zero-Days Related: Google Plans Two-Week Release Schedule for Chrome Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Adobe Reader Zero-Day Exploited for Months: Researcher$3.6 Million Stolen in Bitcoin Depot HackData Leakage Vulnerability Patched in OpenSSLMassachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingSevere StrongBox Vulnerability Patched in AndroidGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack White House Seeks to Slash CISA Funding by $707 Million Latest News Orthanc DICOM Vulnerabilities Lead to Crashes, RCEMITRE Releases Fight Fraud FrameworkCritical Marimo Flaw Exploited Hours After Public DisclosureGoogle Rolls Out Cookie Theft Protections in ChromeMicrosoft Finds Vulnerability Exposing Millions of Android Crypto Wallet UsersApple Intelligence AI Guardrails Bypassed in New AttackCan We Trust AI? No – But Eventually We MustGoogle API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveFinite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.John Clancy has become Chief Executive Officer at Bitsight.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-5858
• cve — CVE-2026-5859
• cve — CVE-2026-5860
• cve — CVE-2026-5861
• cve — CVE-2026-5874

Entities