Google released Chrome 147.0.7727.55 on April 8, 2026, plugging a memory-corruption vulnerability in the browser’s WebML component that could allow an attacker to write data outside allocated memory. Tracked as CVE-2026-5915, the bug was reachable through a specially crafted HTML page—no file download required. Microsoft has confirmed the same fix extends to Edge, its Chromium-based browser, meaning millions of Windows users need to update now even though the flaw carries a “Low” severity label from the Chromium project.
A Quick Patch for a Subtle Threat
CVE-2026-5915 is an out-of-bounds memory write caused by insufficient validation of untrusted input inside WebML, the machine-learning pipeline that lets websites run neural networks and other models directly in the browser. When a victim simply visits a malicious site, the browser may mishandle malformed data and write past the end of a buffer. The Chromium team rated the bug Low severity, but the vulnerability’s network reachability and high potential impact on integrity and availability make it more dangerous in practice than the label suggests.
Chrome versions before 147.0.7727.55 are affected. The stable channel update shipped on April 8, and the CVE entry was modified the following day. Microsoft’s Security Update Guide now lists CVE-2026-5915 to alert Edge users that the latest browser build is no longer vulnerable. If you see version 147.0.7727.55 or higher in Chrome, or the equivalent Edge release, you are protected.
Inside the WebML Memory Bug
Modern browsers run complex workloads that span graphics, audio, and now machine learning. WebML exposes powerful capabilities to web developers, but every new code path widens the attack surface. In this case, the browser’s input validation failed to properly check data destined for memory operations, allowing an attacker to corrupt adjacent memory.
A remote attacker can exploit this by luring a user to a booby-trapped page. No local execution or installation is needed—just a click. While the Chromium project labels the flaw Low, experienced security teams never ignore a memory write bug. Even a “low” severity write primitive can be chained with other vulnerabilities to gain code execution or escape the browser sandbox. In the world of browser exploitation, today’s memory corruption often becomes tomorrow’s full compromise.
What CVE-2026-5915 Means for Your Daily Browsing
For home users, the risk comes down to a single moment of inattention. You follow a link from an email, a chat message, or a social media post, and the page loads—and if your browser is out of date, the damage is done. The bug does not require you to download a file; the HTML itself is the weapon. Restarting the browser after an update is essential, as Chrome and Edge often apply patches only after a full relaunch.
The “Low” severity rating can create dangerous complacency. Security labels are internal prioritization tools, not safety guarantees. An attacker who can achieve a reliable memory write can often escalate to something far more serious. Treat every browser update as mandatory, not optional—especially when the fix involves memory handling.
Home users should also remember that Chrome is not the only browser built on Chromium. Browsers like Brave, Opera, Vivaldi, and others often share the same engine and may be vulnerable until they issue their own updates. If you use multiple Chromium-based browsers, check each one.
Enterprise Windows: When Browser Updates Lag
For IT and security teams, a Chrome vulnerability is never just a browser issue. Employees use their browsers to access email, SaaS platforms, internal apps, and sensitive workflows. An outdated Chrome or Edge installation can punch a hole in an otherwise well-defended network.
Enterprise fleet management adds complexity. Automatic updates may be disabled by Group Policy, deferred for compatibility testing, or blocked on air-gapped systems. Some organisations still run older browsers for legacy web apps, leaving them exposed to publicly known flaws. Even if your desktop team patched Windows itself, an unpatched browser remains a prime target.
Key questions for administrators:
- Are Chrome and Edge set to auto-update?
- Is Group Policy allowing the latest builds, or are you pinning to an older version?
- Do virtual desktop pools, kiosks, or shared devices update between sessions?
- What about Chromium-based line-of-business apps that embed an older engine version?
- Can your endpoint detection tool flag devices running Chrome versions prior to 147.0.7727.55?
Microsoft’s recognition of this CVE in its own Security Update Guide is a signal that enterprise customers should treat browser patching with the same urgency as operating system updates. Many vulnerability management platforms now ingest that guide and can generate reports on fleet exposure to Chromium-based threats.
The Steps to Take Today
Home users can protect themselves in minutes:
- Update Chrome – Click the three-dot menu, go to Help > About Google Chrome. The browser will download and install the latest version automatically. If the version number shown is 147.0.7727.55 or higher, you’re safe.
- Update Edge – Open the three-dot menu, go to Help and feedback > About Microsoft Edge. Allow the update to complete.
- Restart the browser – A pending update won’t take effect until you fully close and reopen the application.
- Turn on auto-update – Both Chrome and Edge include a background service that keeps the browser current. Don’t disable it.
- Watch for crashes – If your browser suddenly crashes while visiting an unfamiliar site, it could be an exploitation attempt. Report the crash details to your security team if you’re in a managed environment.
Enterprise administrators should take these additional actions:
- Run a version audit – Use your endpoint management tool to list all devices with Chrome versions older than 147.0.7727.55.
- Review update policies – In Group Policy, confirm that Chrome and Edge update settings are not set to “Updates disabled” or “Allow installation only from certain sources.”
- Check other Chromium browsers – Inventory all browser installations, including niche ones. A vulnerable browser on a single endpoint can be the entry point.
- Deploy updates through your software distribution tool – Many third-party patching tools can push out Chrome and Edge updates without waiting for built-in update mechanisms.
Because the fix is already widely available in stable channels, the biggest hurdle is not the patch itself but the deployment discipline within organisations.
The Bigger Picture: Why Browser Patches Can’t Wait
CVE-2026-5915 lands at a time when Chrome’s release cadence is accelerating. Version 147 moved through early-stable and stable channels in rapid succession, reflecting Google’s commitment to short patch windows. Yet a fix in the stable channel only matters if users actually receive it. The gap between patch availability and deployment is where real-world risk lives.
The WebML component will almost certainly face more scrutiny. Whenever a feature introduces new parsing and computation paths, attackers look for input-validation gaps. The fact that WebML handles untrusted web content directly makes it a high-value target, and CVE-2026-5915 may be a harbinger of similar bugs to come.
No credible reports of active exploitation have surfaced, but the details of this vulnerability are public now. Security researchers, exploit developers, and threat actors will study the patch diff and probe for weaknesses. The best defence is to update before those efforts mature. For Windows users—whether at home or in the office—the instruction is simple: open your browser’s About page, check the version, and let the update run. It takes seconds and closes a door that attackers are already trying to pry open.