CVE-2026-6920 Google CVE debrief

Who should care

Mobile security teams, Android enterprise administrators, BYOD program managers, and organizations with significant mobile browser attack surface. Particularly relevant for environments where users access untrusted web content or where renderer exploitation is a documented threat vector.

Technical summary

The vulnerability exists in Chrome's GPU processing implementation on Android, where an out-of-bounds read (CWE-125) can be triggered by a crafted HTML page. A remote attacker who has already achieved renderer process compromise can leverage this flaw to escape the Chrome sandbox and execute code with elevated privileges. The attack requires network access and user interaction but no authentication. The CVSS v3.1 score of 9.6 reflects critical impact across confidentiality, integrity, and availability with scope change (S:C) indicating impact beyond the vulnerable component.

Defensive priority

critical

Recommended defensive actions

• Update Google Chrome on Android devices to version 147.0.7727.117 or later
• Verify Chrome version via Settings > About Chrome and enable automatic updates
• Monitor for unexpected renderer crashes or GPU process anomalies as potential exploitation indicators
• Restrict browsing to trusted sites until patching is complete for high-risk user populations
• Review enterprise mobile device management policies to enforce minimum Chrome version requirements

Evidence notes

Vulnerability classification and severity ratings derived from NVD CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Affected product scope confirmed through CPE criteria indicating Chrome versions prior to 147.0.7727.116 on Android. Vendor advisory and release notes provide patch confirmation. No KEV listing present as of source data timestamp.

Official resources