CVE-2026-5859 Overview
CVE-2026-5859 is an integer overflow vulnerability in the WebML component of Google Chrome versions prior to 147.0.7727.55. A remote attacker can exploit heap corruption by enticing a user to visit a crafted HTML page. The Chromium project rated the underlying security severity as Critical. Successful exploitation requires user interaction such as loading attacker-controlled web content. The flaw affects Chrome across Windows, macOS, and Linux desktop builds.
Critical Impact
Remote attackers can trigger heap corruption in the browser process context, potentially leading to arbitrary code execution within the renderer sandbox via a single malicious web page.
Affected Products
- Google Chrome prior to 147.0.7727.55 on Microsoft Windows
- Google Chrome prior to 147.0.7727.55 on Apple macOS
- Google Chrome prior to 147.0.7727.55 on Linux
Discovery Timeline
- 2026-04-08 - CVE-2026-5859 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5859
Vulnerability Analysis
The vulnerability resides in WebML, the Web Machine Learning implementation that exposes machine learning inference APIs to JavaScript inside the Chrome renderer. An integer overflow occurs during size or length computation, which is consistent with the assigned weakness [CWE-472]. When the computed value wraps, downstream allocations and bounds checks operate on a truncated size. The renderer then writes beyond the intended heap buffer, producing heap corruption.
An attacker who controls the corrupted heap state can pivot to arbitrary memory writes. From there, exploitation chains commonly target type confusion or function pointer overwrites to achieve code execution inside the renderer process.
Root Cause
The root cause is unchecked or improperly validated arithmetic on attacker-influenced integer values used to size WebML tensor or buffer operations. When the multiplication or addition exceeds the integer width, the allocator receives a smaller-than-required size. Subsequent population of the buffer writes past its bounds and corrupts adjacent heap metadata or objects.
Attack Vector
Exploitation is network-based and requires user interaction. The victim must load a crafted HTML page that issues specific WebML API calls with parameters chosen to trigger the overflow. No authentication or prior access to the target system is required. Drive-by download, malicious advertising, and compromised legitimate sites are realistic delivery channels for the crafted page.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS score is 0.087%. See the Chromium Issue Tracker Entry for upstream technical context.
Detection Methods for CVE-2026-5859
Indicators of Compromise
- Unexpected Chrome renderer process crashes with heap corruption signatures in crash dumps when visiting untrusted sites.
- Chrome child processes spawning unexpected shells, scripting interpreters, or LOLBins shortly after browsing activity.
- Outbound connections from chrome.exe child processes to uncategorized or newly registered domains hosting WebML-heavy content.
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any build below 147.0.7727.55 as vulnerable.
- Hunt for renderer process anomalies such as memory access violations, segfaults, or EXCEPTION_ACCESS_VIOLATION events correlated with browsing telemetry.
- Correlate web proxy logs with endpoint process telemetry to identify users loading pages that invoke WebML APIs from low-reputation domains.
Monitoring Recommendations
- Monitor Chrome auto-update status and alert on endpoints where the browser has not been restarted to apply pending updates.
- Track child-process creation from chrome.exe, Google Chrome Helper, and Linux equivalents, alerting on non-browser executables.
- Ingest browser crash telemetry into the SIEM and baseline rates to surface clusters indicating active exploitation attempts.
How to Mitigate CVE-2026-5859
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.55 or later on all Windows, macOS, and Linux endpoints.
- Force-restart Chrome on managed devices to ensure the patched binary is loaded into memory.
- Validate the deployed version through enterprise management tooling rather than relying on user self-reporting.
Patch Information
Google addressed CVE-2026-5859 in the Chrome Stable channel update referenced in the Google Chrome Desktop Update advisory. The fix ships in Chrome 147.0.7727.55 and later. Chromium-based browsers that incorporate the same WebML code should apply the corresponding vendor update once published.
Workarounds
- Deploy Chrome Enterprise policies to disable or restrict WebML and experimental web platform features until patching is complete.
- Restrict browsing to vetted sites via web filtering for high-risk user groups while the rollout is in progress.
- Enforce site isolation and ensure the renderer sandbox is enabled to limit the impact of successful heap corruption.
# Verify Chrome version on Linux/macOS endpoints
google-chrome --version
# Expected output: Google Chrome 147.0.7727.55 or later
# Windows: query installed version via registry
reg query "HKLM\Software\Google\Chrome\BLBeacon" /v version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
