Google announced this week the first stable version of Chrome 147, which includes patches for 60 vulnerabilities, including two that have been rated critical.
The critical vulnerabilities both impact Chrome’s WebML component, which is designed for running machine learning models directly in the browser.
The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859).
The reporting researchers each earned $43,000 for their findings. The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution.
Of the remaining vulnerabilities fixed in Chrome, 14 have been assigned a ‘high’ severity rating.
The flaws affect Chrome components such as WebRTC, V8, WebAudio, Media, WebML, Angle, Skia, and Blink. Nearly half of them were found internally by Google, and many have been reported by anonymous researchers.
Only for two of them the tech giant has announced a bug bounty: $11,000 for CVE-2026-5860, and $3,000 for CVE-2026-5861.
The remaining security holes have been assigned ‘medium’ and ‘low’ severity ratings, but at least one of the medium-severity issues appears significant.
Google has paid out a $11,000 bug bounty for CVE-2026-5874, a use-after-free bug in PrivateAI.
There is no mention of any vulnerabilities being exploited in the wild.
In late March, Google released a Chrome update to patch 21 vulnerabilities, including a zero-day exploited in malicious attacks.
Google also announced this week that it has rolled out new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies.
Related: Chrome 146 Update Patches High-Severity Vulnerabilities
Related: Chrome 146 Update Patches Two Exploited Zero-Days
Related: Google Plans Two-Week Release Schedule for Chrome
