Chrome 147 Update: Google Patches Critical $90,000 ANGLE Flaw and 30 Other Security Gaps
Ddos 
Google has begun rolling out a high-stakes update for the Chrome stable channel, addressing a total of 31 security vulnerabilities, including five rated as Critical. The release, version 147.0.7727.101/102, includes one of the largest single bug bounties in recent history—a $90,000 reward for a devastating heap buffer overflow in the browser’s graphics engine.
The update is currently rolling out for Windows, Mac, and Linux users and is expected to reach the global user base over the coming days and weeks.
The standout fix in this release is CVE-2026-6296, a critical heap buffer overflow discovered in ANGLE (Almost Native Graphics Layer Engine). Reported by researcher cinzinga in early March, the vulnerability was significant enough to command a $90,000 bounty.
ANGLE is a vital component that translates OpenGL ES API calls into a hardware’s native graphics language (like DirectX or Vulkan). A heap buffer overflow in this layer could potentially allow a remote attacker to escape the browser’s sandbox via a specially crafted HTML page, leading to arbitrary code execution on the host system.
While the ANGLE flaw takes the headlines, the update secures four other Critical-severity pathways:
- CVE-2026-6297: A Use-after-free (UAF) bug in the Proxy component ($10,000 reward).
- CVE-2026-6298: A heap buffer overflow in the Skia 2D graphics library.
- CVE-2026-6299: A UAF vulnerability in the browser’s Prerender mechanism, which predicts and loads pages before a user clicks them.
- CVE-2026-6358: A UAF flaw in Chrome’s Extended Reality (XR) implementation, reported by researchers at Seoul National University.
Beyond the critical tier, the update addresses 21 High-severity vulnerabilities. This group represents a broad attack surface, touching nearly every core system in the browser:
- Graphics and Rendering: Multiple fixes for PDFium, Graphite, and GPU out-of-bounds writes.
- JavaScript Performance: Two Type Confusion vulnerabilities in Turbofan, Chrome’s optimizing compiler (CVE-2026-6301 and CVE-2026-6307).
- Privacy and Permissions: UAF issues in FileSystem, Permissions, and Passwords policy enforcement.
Notably, CVE-2026-6364—an out-of-bounds read in Skia—was reported by Google Threat Intelligence on April 13, just days before the release.
To ensure your browser is protected, navigate to Settings > Help > About Google Chrome. The browser will automatically check for the 147.0.7727.101/102 update and prompt for a relaunch once the download is complete.
Given the concentration of memory safety issues (Use-after-free and Buffer Overflows) in this release, security administrators are urged to accelerate deployment across enterprise environments to close these critical windows of exploitation.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
