CVE-2026-6920
Published: 23 April 2026
Summary
CVE-2026-6920 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6920 is an out-of-bounds read vulnerability (CWE-125) in the GPU component of Google Chrome on Android versions prior to 147.0.7727.117. Published on 2026-04-23, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is classified as High severity by Chromium security.
The vulnerability can be exploited by a remote attacker who has already compromised the renderer process, using a crafted HTML page to potentially escape the sandbox. Exploitation requires user interaction, such as loading the malicious page in the browser, and leverages the high scope and impact scores for confidentiality, integrity, and availability.
Mitigation is addressed in the Chrome stable channel update documented at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html and the related Chromium issue at https://issues.chromium.org/issues/499891888; affected users should update to Google Chrome on Android version 147.0.7727.117 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25252
Vulnerability details
Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read in Chrome's GPU component on Android enables sandbox escape from the renderer process via a crafted HTML page, directly mapping to client-side exploitation (T1203) that requires user interaction to load the malicious page (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds read flaw in the Chrome GPU component, preventing sandbox escape exploitation by updating to version 147.0.7727.117 or later.
Implements memory protection safeguards such as address space randomization and non-executable memory to mitigate out-of-bounds read vulnerabilities that could lead to code execution and sandbox escape.
Enforces process isolation between the compromised renderer and GPU processes, limiting the scope and impact of potential sandbox escapes triggered by crafted HTML pages.