Chrome 147 Patches 60 Vulnerabilities Including Two Critical WebML Flaws Worth $86K in Bounties

Summary

Google has pushed Chrome 147 to the stable channel, patching a whopping 60 security vulnerabilities — including two critical flaws in Chrome’s Web Machine Learning (WebML) component that earned researchers a combined $86,000 in bug bounties.

The two critical CVEs are CVE-2026-5858 (heap buffer overflow) and CVE-2026-5859 (integer overflow), both in WebML — the subsystem that runs ML models directly inside the browser. Either flaw could be exploited remotely via a crafted HTML page to achieve arbitrary code execution or a sandbox escape. No authentication required, just lure someone to a page.

Google has not reported active exploitation in the wild yet, and is restricting detailed technical information to buy time for the massive Chrome user base (3.5 billion+) to auto-update. The patched versions are 147.0.7727.55 (Linux) and 147.0.7727.55/56 (Windows/macOS).

Source

SecurityWeek · PCWorld · Forbes

Commentary

WebML is a relatively new and rapidly evolving browser API — exactly the kind of attack surface where memory corruption bugs thrive. The fact that two critical RCE-capable flaws landed in the same component at the same time suggests this area needs significantly more fuzzing and auditing attention.

For enterprise security teams: if you’re not enforcing Chrome auto-updates via group policy, now is a very good time to start. Sixty vulnerabilities in one release is a rough patch Tuesday for a browser that’s essentially become the new operating system. And if you’re using WebML-powered features in production web apps, double-check that your users are actually running the patched version.