Google has released an emergency security update for Chrome’s Stable channel, pushing versions 147.0.7727.116/117 for Windows and macOS, and 147.0.7727.116 for Linux, addressing 19 security vulnerabilities, including three externally reported high- and medium-severity flaws that could allow sandbox escape and remote code execution.
Released on April 21–22, 2026, the latest Chrome Stable channel update rolls out to users progressively over the coming days and weeks across all major desktop platforms.
The update addresses 19 security vulnerabilities, a mix of high- and medium-severity bugs discovered by both internal Google engineers and external security researchers. This release follows an earlier Chrome 147 launch in early April that patched 60 vulnerabilities, including two critical buffer overflow flaws in the WebML component.
CVE-2026-6919: Use-After-Free in DevTools
A use-after-free (UAF) vulnerability in Chrome’s DevTools component, tracked as CVE-2026-6919, was reported by a researcher identified as c6eed09fc8b174b0f3eebedcceb1e792 on March 18, 2026.
Use-after-free bugs occur when a program continues to reference memory that has already been deallocated, allowing attackers to inject and execute arbitrary code in the freed memory space. A remote attacker who had already compromised the renderer process could exploit this flaw to escalate privileges or further pivot within a targeted system.
CVE-2026-6920: Out-of-Bounds Read in GPU
CVE-2026-6920 is an out-of-bounds read vulnerability residing in Chrome’s GPU component. According to vulnerability intelligence, this flaw has a CVSS score of 7.5 and affects Google Chrome on Android before version 147.0.7727.117.
By exploiting this vulnerability via a specially crafted HTML page, a remote attacker who had compromised the renderer process could potentially perform a full sandbox escape one of the most dangerous outcomes in browser security.
CVE-2026-6921: Race Condition in GPU
The third externally reported flaw, CVE-2026-6921, is a race condition (CWE-362) in Chrome’s GPU component on Windows. According to published vulnerability data, this flaw allowed a remote attacker to potentially achieve a sandbox escape through a specially crafted video file.
While classified as medium severity, race conditions in GPU processing can be notoriously difficult to patch reliably and carry real-world exploitation potential when chained with other browser vulnerabilities.
This update arrives against the backdrop of an increasingly active threat environment targeting Chrome’s core components throughout 2026.
Google has already patched multiple actively exploited zero-days this year, including CVE-2026-2441 (Use-after-free in CSS) in February, CVE-2026-3909 (out-of-bounds write in Skia) and CVE-2026-3910 (V8 JavaScript engine flaw) in March, and CVE-2026-5281 (WebGPU Dawn zero-day confirmed exploited in the wild) in late March.
Collectively, these incidents underscore a sustained focus by attackers on GPU processing, memory management, and JavaScript engine components in Chromium-based browsers.
The earlier Chrome 147 baseline release (versions 147.0.7727.55/56) in April patched 60 vulnerabilities and led Google to award $118,000 in bug bounty rewards to external researchers. The two critical flaws in that cycle CVE-2026-5858 and CVE-2026-5859 were both buffer and integer overflow vulnerabilities in the WebML component.
Beyond the three externally reported CVEs, the 147.0.7727.116/117 update includes a broad set of fixes stemming from Google’s continuous internal security work, captured under issue 505764421 and described as “various fixes from internal audits, fuzzing, and other initiatives.”
Google’s security engineering pipeline relies on industry-leading dynamic analysis tools, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity (CFI), libFuzzer, and AFL, to proactively surface memory corruption bugs before they reach the stable channel.
This automated fuzzing infrastructure is widely credited with discovering the majority of Chrome’s internally patched vulnerabilities each release cycle.
Update Google Chrome
Updating Chrome takes less than two minutes and is the most critical mitigation available. Follow these steps:
- Open Google Chrome and click the three-dot menu in the top-right corner
- Navigate to Help → About Google Chrome
- Chrome will automatically check for and download the latest update
- Click Relaunch to apply the update and confirm you are running 147.0.7727.116 or 147.0.7727.117
- Enterprise users should push the update via Google Admin Console or their preferred patch management platform to ensure fleet-wide coverage
FAQ
Q1: Is CVE-2026-6920 being actively exploited in the wild?
As of the publication of this update, Google has not confirmed in-the-wild exploitation of CVE-2026-6920, but the potential for sandbox escapes makes immediate patching critical.
Q2: Does this Chrome update affect Android users?
Yes, CVE-2026-6920’s out-of-bounds GPU read specifically affects Chrome on Android, and users should update via Google Play to version 147.0.7727.111 or later.
Q3: What is a sandbox escape, and why is it dangerous?
A sandbox escape allows an attacker to break out of Chrome’s isolated process environment and interact with the underlying OS, enabling full device compromise beyond the browser.
Q4: How many Chrome security vulnerabilities has Google patched in 2026 so far?
Including this update, Google has patched over 100 Chrome security vulnerabilities in 2026, with multiple zero-days exploited in the wild across CSS, Skia, V8, WebGPU, and GPU components.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
