CVE-2026-6921
Published: 23 April 2026
Summary
CVE-2026-6921 is a high-severity Race Condition (CWE-362) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6921 is a race condition vulnerability (CWE-362) in the GPU component of Google Chrome on Windows versions prior to 147.0.7727.117. Published on 2026-04-23, it enables a remote attacker to potentially escape the Chrome sandbox via a crafted video file. Chromium assesses its security severity as Medium, with a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
The attack requires a remote attacker with no privileges to deliver a crafted video file, which a user must interact with by opening it (UI:R). Exploitation demands high complexity (AC:H) due to the race condition. If successful, it results in a sandbox escape, allowing high impacts on confidentiality, integrity, and availability with a change in scope (S:C).
Mitigation is available via the Google Chrome stable channel update to version 147.0.7727.117 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html. Additional details on the fix are provided in the Chromium issue tracker at https://issues.chromium.org/issues/493315759. Security practitioners should prioritize updating affected Windows Chrome installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25253
Vulnerability details
Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The race condition in Chrome's GPU component enables exploitation of a client application (T1203) to achieve sandbox escape, directly facilitating privilege escalation (T1068) from the sandboxed renderer process.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws like the GPU race condition in Chrome prior to version 147.0.7727.117, preventing sandbox escape via crafted video files.
Enables proactive vulnerability scanning to identify systems running vulnerable Chrome versions affected by this race condition, facilitating targeted remediation.
Ensures receipt and dissemination of security alerts and advisories, such as the Chrome Releases blog post announcing the patch for CVE-2026-6921.