Critical WebML Heap and Integer Overflow Flaws Patched in Chrome 147

First reported

10.04.2026 13:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Google released Chrome 147, addressing 60 security vulnerabilities including two critical flaws in the WebML component that enable heap buffer overflow and integer overflow conditions. Both issues were reported anonymously and awarded $43,000 each in bug bounty payouts, indicating high exploit potential such as sandbox escape or remote code execution. The update also introduces new session cookie protections to mitigate account compromise via stolen authentication cookies.

Timeline

10.04.2026 13:44 1 articles · 2h ago

Critical WebML Flaws Patched in Chrome 147 with New Cookie Protections
Google released Chrome 147, patching 60 vulnerabilities including CVE-2026-5858 and CVE-2026-5859, both critical issues in the WebML component. The update also introduces new session cookie protections to reduce risks from stolen authentication cookies. No in-the-wild exploitation has been reported.
Show sources

Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
Open in new tab

Information Snippets

Chrome 147 patches 60 vulnerabilities, including two critical flaws in the WebML component that impact machine learning model execution in-browser.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
The critical vulnerabilities are CVE-2026-5858 (heap buffer overflow in WebML) and CVE-2026-5859 (integer overflow in WebML), each reported anonymously and earning $43,000 bug bounties.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
14 vulnerabilities were assigned a 'high' severity rating, affecting components such as WebRTC, V8, WebAudio, Media, WebML, Angle, Skia, and Blink.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
Google paid $11,000 for CVE-2026-5860 and $3,000 for CVE-2026-5861 as part of the Chrome 147 security update.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
CVE-2026-5874, a use-after-free flaw in PrivateAI, received an $11,000 bug bounty but is not listed as critical or high severity.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
No evidence of in-the-wild exploitation has been reported for any of the patched vulnerabilities.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44
Chrome 147 introduces new session cookie protections to prevent account compromise via stolen authentication cookies.
First reported: 10.04.2026 13:44

1 source, 1 article
Show sources
- Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 — www.securityweek.com — 10.04.2026 13:44

Summary

Timeline

Critical WebML Flaws Patched in Chrome 147 with New Cookie Protections

Information Snippets