Google Issues Urgent Chrome Update to Patch 60 Flaws, Including Two Critical Bugs
Google Chrome 147 Patches 60 Vulnerabilities, Including Two Critical RCE Flaws
Related Entities
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
Google has released a critical security update for its Chrome browser, bringing the stable channel to version 147.0.7727.55/56. The update, rolled out starting April 9, 2026, addresses 60 security vulnerabilities, including two rated as critical. These two critical flaws, CVE-2026-5858 and CVE-2026-5859, affect Chrome's WebML component and could allow an attacker to achieve remote code execution (RCE) by tricking a user into visiting a malicious website. The severity of these bugs is underscored by the high bug bounty payouts, totaling $86,000. The patch also includes fixes for 14 high-severity vulnerabilities. While Google has not reported any active exploitation in the wild, the critical nature of the flaws necessitates immediate action from all Chrome users on Windows, Mac, and Linux.
Vulnerabilities Addressed
The update patches a large number of flaws, but the most significant are the two critical vulnerabilities in WebML, Chrome's API for web-based machine learning.
- CVE-2026-5858: A critical heap buffer overflow vulnerability in WebML. This type of flaw can be exploited to overwrite memory, potentially leading to arbitrary code execution.
- CVE-2026-5859: A critical integer overflow vulnerability in WebML. Integer overflows can lead to incorrect memory allocation, which can also be leveraged to cause a buffer overflow and achieve code execution.
In addition to these, the update fixes 14 high-severity vulnerabilities, including:
- CVE-2026-5860: Use-after-free in WebRTC.
- CVE-2026-5861: Use-after-free in V8 JavaScript engine.
- CVE-2026-5862: Use-after-free in WebAudio.
- CVE-2026-5863: Inappropriate implementation in Media.
Use-after-free vulnerabilities are particularly dangerous as they often allow attackers to execute arbitrary code.
Affected Products
- Google Chrome versions prior to 147.0.7727.55 for Linux.
- Google Chrome versions prior to 147.0.7727.55/56 for Windows and Mac.
All desktop users of Google Chrome are affected.
Impact Assessment
A successful exploit of the critical vulnerabilities (CVE-2026-5858 or CVE-2026-5859) would allow an attacker to execute arbitrary code on the victim's computer within the context of the Chrome sandbox. While the sandbox provides a layer of protection, attackers often chain a browser exploit with a second sandbox escape exploit to gain full control over the underlying operating system. The attack vector is straightforward: an attacker would need to host a malicious website and convince a user to visit it. Given Chrome's massive user base (over 3.5 billion users), even a small percentage of unpatched systems represents a huge target for threat actors. The high bug bounty payouts ($43,000 for each critical flaw) indicate that Google's security team assessed these as highly impactful and likely exploitable.
Exploitation Status
As of the announcement, Google stated it was not aware of any active exploitation of these 60 vulnerabilities in the wild. However, now that the patches are public, threat actors will begin to reverse-engineer them to develop working exploits. The window for safe patching is therefore limited.
Cyber Observables for Detection
Detecting exploitation of a browser vulnerability on the network can be difficult as the traffic is encrypted. Endpoint detection is more effective.
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| process_name | chrome.exe |
Monitor for chrome.exe processes that spawn unexpected child processes, such as cmd.exe, powershell.exe, or wscript.exe. |
EDR, Process monitoring logs. | high |
| other | Chrome Crash Reports |
A sudden increase in Chrome browser crashes across an organization could indicate attempts to exploit a memory corruption vulnerability. | Endpoint monitoring, crash dump analysis. | medium |
Installation Instructions
Google Chrome automatically updates itself, but users can and should manually trigger the update to ensure they are protected immediately.
- Open Google Chrome.
- Click the three vertical dots in the top-right corner.
- Navigate to Help > About Google Chrome.
- Chrome will automatically check for and download the update.
- After the download is complete, you must relaunch the browser to apply the update. The version number should be 147.0.7727.56 or higher.
Deployment Priority
This update should be considered critical and deployed immediately.
- Priority 1 (Immediate): All user workstations, especially those of high-risk users (executives, finance, IT administrators).
- Priority 2 (Within 24 hours): All other systems, including servers that may have Chrome installed for administrative purposes.
Enterprise administrators should use their central management tools to push the update across their fleet as quickly as possible.
Timeline of Events
MITRE ATT&CK Mitigations
The primary mitigation is to apply the security update provided by Google immediately.
Mapped D3FEND Techniques:
Use web filtering solutions to block access to known malicious or untrusted websites that could host exploit code.
Ensure that OS-level exploit protections like ASLR and DEP are enabled. Modern browsers like Chrome use these by default.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The most effective and urgent countermeasure for the vulnerabilities patched in Chrome 147 is to apply the software update. For end-users, this means navigating to 'About Google Chrome' and relaunching the browser. For enterprise environments, security teams must use their endpoint management tools (e.g., Microsoft Intune, Jamf, SCCM) to force the update across all managed devices immediately. Given that two of the vulnerabilities are critical and could lead to remote code execution, this is a race against time. Attackers will be actively reverse-engineering the patch to develop exploits. A rapid and comprehensive patching cycle is the only way to close this window of opportunity and protect the organization from drive-by compromise attacks.
As a secondary, detective control, organizations should use EDR solutions to perform Process Analysis on browser processes. A successful exploit of a critical vulnerability like CVE-2026-5858 would likely be followed by the execution of a second-stage payload. A key indicator of this is the browser process (chrome.exe) spawning anomalous child processes. Security teams should have high-priority alerts for any instance where chrome.exe is the parent of cmd.exe, powershell.exe, wscript.exe, or any unsigned executable. This behavior is almost always malicious and indicates that an attacker has broken out of the browser's context and is attempting to establish a foothold on the endpoint. This provides a critical opportunity to detect and contain a compromise on an unpatched system.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats