Cyber Resilience

CVE-2026-6920

Critical

Published: 23 April 2026

Published
23 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0021 11.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6920 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6920 is an out-of-bounds read vulnerability (CWE-125) in the GPU component of Google Chrome on Android versions prior to 147.0.7727.117. Published on 2026-04-23, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as High severity by Chromium security.

The vulnerability can be exploited by a remote attacker who has already compromised the renderer process, using a crafted HTML page to potentially escape the sandbox. Exploitation requires user interaction, such as loading the malicious page in the browser, and leverages the high scope and impact scores for confidentiality, integrity, and availability.

Mitigation is addressed in the Chrome stable channel update documented at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html and the related Chromium issue at https://issues.chromium.org/issues/499891888; affected users should update to Google Chrome on Android version 147.0.7727.117 or later.

EU & UK References

Vulnerability details

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The out-of-bounds read in Chrome's GPU component on Android enables sandbox escape from the renderer process via a crafted HTML page, directly mapping to client-side exploitation (T1203) that requires user interaction to load the malicious page (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12725Same product: Google Android
CVE-2026-6921Same product: Google Android
CVE-2026-6308Same product: Google Chrome
CVE-2026-5907Same product: Google Chrome
CVE-2026-7995Same product: Google Chrome
CVE-2026-4460Same product: Google Chrome
CVE-2026-9121Same product: Google Chrome
CVE-2026-4674Same product: Google Chrome
CVE-2026-4462Same product: Google Chrome
CVE-2026-4677Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.116

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read flaw in the Chrome GPU component, preventing sandbox escape exploitation by updating to version 147.0.7727.117 or later.

prevent

Implements memory protection safeguards such as address space randomization and non-executable memory to mitigate out-of-bounds read vulnerabilities that could lead to code execution and sandbox escape.

prevent

Enforces process isolation between the compromised renderer and GPU processes, limiting the scope and impact of potential sandbox escapes triggered by crafted HTML pages.

References