Google pushed Chrome 147 to the stable channel on April 7, 2026, and with it came a fix for CVE-2026-5913—an out-of-bounds read in the Blink rendering engine that lets a remote attacker read memory through a crafted web page. Even with a Low severity label, the web-delivered nature and the critical role of Blink make this a patch priority for every Windows user, IT admin, and anyone running a Chromium-based browser.
What CVE-2026-5913 Does — and Why It Matters
The vulnerability resides in Blink, the layout engine that powers Chrome, Edge, and dozens of other browsers. It’s a classic out-of-bounds read (CWE-125), meaning an attacker who tricks a user into visiting a malicious site can make the browser read memory beyond the intended buffer. Google’s advisory says the flaw allows “an out of bounds memory read via a crafted HTML page,” with no special privileges required.
Out-of-bounds reads don’t give attackers direct code execution, but they can leak sensitive information. Memory contents like encryption keys, authentication tokens, or the internal layout of memory protections can sit exposed, and skilled adversaries routinely chain such leaks with other bugs to build full exploits. That’s why the Chromium team tracks the bug as severity “Low,” yet it still demands a fast patch cycle—because the attack surface is the entire web.
The Low Severity Label: Don’t Let It Fool You
A Low severity rating in Chrome’s security scheme often means the flaw alone doesn’t pose an immediate code-execution threat. But for users and admins, the operational calculus is different. Here’s what really matters:
- Remote attack vector: You don’t need local access; a compromised ad, a phishing link, or a hijacked site can deliver the exploit.
- Memory disclosure aids further attacks: Leaked data can defeat Address Space Layout Randomization (ASLR) and other mitigations, making it easier to chain a more serious exploit later.
- Scale: Chrome’s immense user base and the shared Blink engine among many browsers mean a single bug can affect billions of devices.
Security teams should treat this as a “patch now” issue, not defer it because of the label.
Who Needs to Act — and How Quickly
If you use Chrome, you need version 147.0.7727.55 or later. That goes for Windows, macOS, Linux, and Android. The fix applies to desktop and mobile equally; Google’s release notes confirm the Android build contains the same security fixes. Other Chromium browsers like Edge, Brave, Vivaldi, and Opera will inherit the fix as they incorporate the upstream patch, but their update cadences differ—so checking each browser individually is prudent.
For enterprises, the clock starts immediately. Managed fleets that control browser updates through group policy, SCCM, or third-party tools should validate and push the update in their standard pilot rings without delay. A web-delivered memory disclosure bug on a fleet of corporate laptops is a genuine risk, even at Low severity.
Updating to Chrome 147: Step-by-Step
For individual users
- Open Chrome and click the three-dot menu > Help > About Google Chrome.
- The browser will check for updates automatically. If the version shown is 147.0.7727.55 (or .56 on some Windows/Mac builds), you’re safe.
- If an update is pending, let it download and click Relaunch.
For IT administrators
- Enforce the minimum version via Group Policy or your endpoint management solution. For Chrome, the ADMX templates let you set a version requirement.
- Use your patch management console to push the update across all endpoints. Monitor compliance closely; browser lag is common when users postpone restarts.
- Verify that Edge and other Chromium derivatives are also patched. Edge typically syncs with Chromium releases, but check Edge’s specific update channel.
For Android and iOS
- Update Chrome through the Google Play Store or Apple App Store. The fix is included in the latest release; you don’t need a separate security patch.
The Vulnerability Timeline: From Discovery to Patch
Google released Chrome 147 to the Stable channel on April 7, 2026. The CVE-2026-5913 entry appeared in the National Vulnerability Database (NVD) the following day, April 8, linking to the Chrome release notes and the underlying Chromium issue 487195286.
Microsoft then added the CVE to its Security Update Guide, making it visible in enterprise vulnerability management workflows that rely on Microsoft’s catalog. That cross-vendor visibility matters: even though Chrome isn’t Microsoft software, its presence on millions of Windows endpoints means security teams need a single pane of glass for tracking. The MSRC entry normalizes the data for patch orchestration tools.
The fast disclosure—patch first, then CVE, then third-party cataloging—reflects Chrome’s mature coordinated vulnerability handling process. Google often holds back full technical details until a majority of users have updated, which is wise for a bug that can be triggered by any malicious page.
What to Do After Updating: Beyond Just Patching
A one-click update is a good start, but a few extra steps can harden your environment:
- Review browser restart policies: Many exploits target machines where the browser hasn’t been relaunched after an update. Force restarts if your fleet supports it, and educate users not to ignore the “Relaunch” button.
- Scan for suspicious pre-patch crashes: Out-of-bounds reads can cause odd browser behavior. If your telemetry shows unexplained crashes or unusual navigation patterns around April 7-8, investigate for possible earlier exploitation.
- Check other Chromium-based apps: Electron apps, embedded webviews, and alternative browsers might use an older Blink engine. Ensure they are updated or flagged for remediation.
- Reinforce web isolation: While you can’t patch a browser engine every day, network defenses like proxy filtering, ad blocking, and application allowlisting can make it harder for malicious pages to reach endpoints in the first place.
Outlook: The Relentless Browser Security Cycle
CVE-2026-5913 is one of many memory-safety bugs in Blink—the Chrome 147 release alone patched dozens of vulnerabilities across various components. The sheer volume underlines why browser updates are a standing operational discipline, not a one-time event. Google’s close pairing of stable releases with CVE disclosures means that every new version likely squashes similar bugs.
What to watch next:
- Other Chromium-based browsers will likely issue advisories as they integrate the fix. Edge, Brave, Vivaldi, and Opera updates may mention the same CVE.
- If this bug was exploited in the wild, we might see blog posts from Google’s Threat Analysis Group (TAG) or third-party researchers later. The absence of such reports so far doesn’t guarantee safety; it only means no public evidence yet.
- Additional Blink-related CVEs often appear in clusters. Keep a close eye on Chrome’s release notes for subsequent patches.
For the average user, the takeaway is simple: let Chrome update and don’t postpone the restart. For IT shops, enforce that update now and treat browser patching with the same rigor as OS patching. The web is too hostile a place to run an out-of-date rendering engine.