"The critical vulnerabilities both impact Chrome's WebML component, which is designed for running machine learning models directly in the browser. The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859)."
"The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution. Google has paid out a $11,000 bug bounty for CVE-2026-5874, a use-after-free bug in PrivateAI."
"Of the remaining vulnerabilities fixed in Chrome, 14 have been assigned a 'high' severity rating. The flaws affect Chrome components such as WebRTC, V8, WebAudio, Media, WebML, Angle, Skia, and Blink."
Chrome 147 includes patches for 60 vulnerabilities, with two critical issues related to the WebML component. These vulnerabilities, a heap buffer overflow and an integer overflow, could allow for sandbox escapes and remote code execution. Researchers reported these flaws and received $43,000 in bug bounties. Additionally, 14 vulnerabilities were rated high severity, while others were medium or low. Google also introduced new session cookie protections to enhance security against account compromises. No current exploitation of these vulnerabilities has been reported.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]