{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6920", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-23T16:11:30.273Z", "datePublished": "2026-04-23T16:12:23.660Z", "dateUpdated": "2026-04-24T03:55:28.732Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.117", "status": "affected", "lessThan": "147.0.7727.117", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out of bounds read", "cweId": "CWE-125"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-23T16:12:23.660Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html"}, {"url": "https://issues.chromium.org/issues/499891888"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-6920"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T03:55:28.732Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T18:32:21.333856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T17:32:15.063Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "147.0.7727.117", "lessThan": "147.0.7727.117", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html"}, {"url": "https://issues.chromium.org/issues/499891888"}], "descriptions": [{"lang": "en", "value": "Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "Out of bounds read"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-23T16:12:23.660Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6920", "state": "PUBLISHED", "dateUpdated": "2026-04-24T03:55:28.732Z", "dateReserved": "2026-04-23T16:11:30.273Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-04-23T16:12:23.660Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB75176F-0FDC-47BF-A48D-D5F26FACD347", "versionEndExcluding": "147.0.7727.116", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-6920", "lastModified": "2026-04-24T16:39:41.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T18:16:30.640", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Vendor Advisory", "Permissions Required"], "url": "https://issues.chromium.org/issues/499891888"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "Google Chrome: Chromium: chromium-browser: Out of bounds read in GPU", "id": "2461226", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461226"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["An out of bounds read flaw was found in the GPU component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=499891888"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-6920", "public_date": "2026-04-23T16:12:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6920\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6920\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html\nhttps://issues.chromium.org/issues/499891888"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.117,147.0.7727.117)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-28T07:33:27.602041+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.117 or later on all Android devices.", "Disable GPU acceleration in Chrome on Android by turning off the \u201cEnable hardware acceleration\u201d setting or using the Chrome flag `chrome://flags/#enable-gpu` set to Disabled.", "Keep the Android operating system updated to the latest security patches, as the vulnerability is linked to GPU usage on Android.", "Limit exposure to untrusted web content by restricting user access to potentially malicious sites until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Sandbox Escape"}, "threat_synthesis": {"affected_systems": "Affected systems are Google Chrome browsers on Android devices running any version earlier than 147.0.7727.117. The vulnerability is tied specifically to the GPU acceleration path utilized by the renderer process on Android; no other operating systems or Chrome on desktop are mentioned in the description. Administrators should verify the version of Chrome installed on all Android devices and ensure it is updated to 147.0.7727.117 or later.", "description_and_impact": "Out of bounds read in the GPU component of Google Chrome on Android, versions prior to 147.0.7727.117, enables a remote attacker who has already compromised the renderer process to craft an HTML page that induces a sandbox escape. This flaw is a CWE-125 buffer under-read, which can expose memory contents outside the expected bounds and after exploitation may allow execution of arbitrary code outside the renderer\u2019s sandbox, compromising confidentiality, integrity, and availability of the device.", "risk_and_exploitability": "The CVSS score is 9.6, indicating a high severity vulnerability, but the EPSS score is below 1%, suggesting a low probability of exploitation at present. The risk is elevated because sandbox escape can lead to arbitrary code execution. The attack vector appears to be remote via a crafted HTML page that is processed by the renderer; an attacker must first compromise the renderer process, which may be achieved through other vulnerabilities or social engineering. Although the vulnerability is not listed in CISA\u2019s KEV catalog, organizations should prioritize patching as the only definitive fix."}}}}, "created": "2026-04-28T04:45:22.295071+00:00", "title": "Remote Sandbox Escape via GPU Out-of-Bounds Read in Chrome on Android", "updated": "2026-04-28T07:45:26.027210+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}