Chrome sandbox escape via video file (CVE-2026-6921)

Vendor-confirmed - CVE-2026-6921 is a high-severity race condition in Google Chrome’s GPU component on Windows systems versions prior to 147.0.7727.117 that grants remote attackers sandbox escape and code execution privileges outside the browser’s restricted environment. Update immediately to prevent attackers from chaining this with other exploits for full system compromise.

Overview

CVE-2026-6921 is a race condition vulnerability in Google Chrome’s GPU component on Windows systems, affecting versions prior to 147.0.7727.117. This medium-severity vulnerability (per Chromium) carries a CVSS score of 8.3 (High) due to the potential for sandbox escape, which compounds the risk significantly.

Technical Details

The vulnerability exists in how Chrome’s GPU process handles video file processing. A race condition occurs when a crafted video file is processed, creating a timing window that an attacker can exploit. The attack requires:

• Network access to deliver the malicious file
• User interaction (the victim must open the crafted video)
• High attack complexity (exploitation requires precise timing)

If successfully exploited, this vulnerability allows a remote attacker to escape Chrome’s sandbox, gaining code execution privileges beyond the browser’s restricted environment.

Impact Assessment

While sandbox escapes are serious, CISA has not confirmed active exploitation of this vulnerability. The primary risk scenario involves an attacker combining this exploit with a separate browser vulnerability to achieve full system compromise.

Organizations using Chrome on Windows should treat this as a medium-to-high priority patch, particularly for users who frequently open untrusted video files or visit unfamiliar websites.

Remediation

Update Google Chrome to version 147.0.7727.117 or later. Chrome typically updates automatically, but administrators should verify that automatic updates are enabled in enterprise deployments.

Verification steps:

1. Open Chrome and navigate to chrome://settings/help
2. Confirm the version is 147.0.7727.117 or higher
3. Restart Chrome if an update was applied

Related Reading

• Russian CTRL Toolkit Hijacks RDP via Malicious LNK
• Windows 11 KB5079391 update rolls out Smart App Control
• Google Adds 24-Hour Wait for Unverified App Sideloading

Security Insight

This vulnerability highlights a recurring pattern in browser security: GPU components remain a weak point in sandbox architectures. Unlike previous Chrome GPU vulnerabilities that required complex chaining (like CVE-2025-2783), this single-race-condition escape demonstrates that hardware-accelerated processing paths continue to be an attractive attack surface that browser vendors struggle to fully isolate.

Further Reading

• Russian CTRL Toolkit Hijacks RDP via Malicious LNK
• Windows 11 KB5079391 update rolls out Smart App Control
• Google Adds 24-Hour Wait for Unverified App Sideloading
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs