Cyber Resilience

CVE-2026-6921

High

Published: 23 April 2026

Published
23 April 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0019 8.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6921 is a high-severity Race Condition (CWE-362) vulnerability in Google Chrome. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6921 is a race condition vulnerability (CWE-362) in the GPU component of Google Chrome on Windows versions prior to 147.0.7727.117. Published on 2026-04-23, it enables a remote attacker to potentially escape the Chrome sandbox via a crafted video file. Chromium assesses its security severity as Medium, with a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

The attack requires a remote attacker with no privileges to deliver a crafted video file, which a user must interact with by opening it (UI:R). Exploitation demands high complexity (AC:H) due to the race condition. If successful, it results in a sandbox escape, allowing high impacts on confidentiality, integrity, and availability with a change in scope (S:C).

Mitigation is available via the Google Chrome stable channel update to version 147.0.7727.117 or later, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html. Additional details on the fix are provided in the Chromium issue tracker at https://issues.chromium.org/issues/493315759. Security practitioners should prioritize updating affected Windows Chrome installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The race condition in Chrome's GPU component enables exploitation of a client application (T1203) to achieve sandbox escape, directly facilitating privilege escalation (T1068) from the sandboxed renderer process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5902Same product: Google Chrome
CVE-2026-6920Same product: Google Android
CVE-2026-8520Same product: Google Chrome
CVE-2025-8880Same product: Google Chrome
CVE-2026-6919Same product: Google Android
CVE-2026-7948Same product: Google Chrome
CVE-2026-7908Same product: Google Chrome
CVE-2026-6314Same product: Google Chrome
CVE-2026-6304Same product: Google Chrome
CVE-2026-2319Same product: Google Chrome

Affected Assets

google
chrome
≤ 147.0.7727.116

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like the GPU race condition in Chrome prior to version 147.0.7727.117, preventing sandbox escape via crafted video files.

detect

Enables proactive vulnerability scanning to identify systems running vulnerable Chrome versions affected by this race condition, facilitating targeted remediation.

detect

Ensures receipt and dissemination of security alerts and advisories, such as the Chrome Releases blog post announcing the patch for CVE-2026-6921.

References