Google shipped Chrome 147.0.7727.117 for Android on Tuesday, patching a high-severity GPU bug that could let an attacker escape the browser's protective sandbox after first compromising the renderer process. The flaw, tracked as CVE-2026-6920, was reported by a Microsoft researcher and carries a critical 9.6 CVSS score from CISA—but its reach extends far beyond Android phones.
Microsoft's Security Update Guide now lists the same vulnerability, confirming that the Chromium-based Edge browser was affected until its own latest update. For Windows users and IT managers, the advisory is a blunt reminder that browser security patches are not optional, no matter which operating system you run.
What Actually Happened
CVE-2026-6920 is an out-of-bounds read in Chrome's GPU component. That's a technical way of saying that the browser's graphics pipeline reads memory it shouldn't, potentially exposing system-level secrets like memory layout or security tokens. An attacker who has already taken over Chrome's renderer—the part that turns HTML into pixels—can exploit that flaw to break out of the browser sandbox and execute code on the device itself.
This isn't a one-click takeover. The attacker needs a second bug to hijack the renderer first. But in practice, browser exploits are often chained, and a sandbox escape like this is the final link that turns a limited compromise into a device-wide breach. The bug lives in the GPU process, which handles rich web content, video, WebGL, and other graphics-heavy tasks. Because the GPU interacts directly with low-level drivers and hardware, a flaw there is especially dangerous.
Google's Chrome release notes list the issue as high severity, credited to "tatiwari" of Microsoft. The official CVE record shows a CISA-ADP score of 9.6 out of 10, pushing it into critical territory. Microsoft's own advisory adds that the latest version of Edge is no longer vulnerable, confirming the bug's cross-browser scope.
What It Means For You
For Android Users
If you run Chrome on an Android phone or tablet, check your version now. The fix is in build 147.0.7727.117, available via Google Play. Hitting "Update" is the only reliable defense. Android Chrome updates are staged, meaning some devices may not see the patch immediately. Open the Play Store and manually refresh the update list. After updating, restart Chrome and verify the version by tapping the three-dot menu > Settings > About Chrome.
For Windows Users
You are not directly targeted by this specific attack path—it requires a compromised Android Chrome renderer—but the same codebase underpins Microsoft Edge and all Chromium-based browsers on Windows. Microsoft says "the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable," so if you've kept Edge up to date, you're already protected. That said, update any other Chromium browsers (Brave, Vivaldi, Opera) as their patches arrive.
For IT Administrators
This CVE is a textbook case of why mobile browser management belongs in every endpoint security policy. Managed Android devices that run outdated Chrome become stepping stones into corporate systems. If you use Microsoft Intune or another EMM, enforce a compliance rule that marks devices with Chrome below 147.0.7727.117 as noncompliant. Check your reporting for older builds and push updates aggressively. For Windows fleets, confirm Edge is on the latest stable version. Watch for scanner confusion: some vulnerability tools may incorrectly flag Android builds based on early CPE data that listed version 147.0.7727.116 as fixed. The actual safe version is 147.0.7727.117.
How We Got Here
Chrome's sandbox is legendary. It isolates the renderer—the most exposed part of the browser—so even if an attacker hijacks it, they can't touch the rest of the device. But that isolation depends on a clean interface between the renderer and higher-privilege processes like the GPU. An out-of-bounds read in the GPU component creates a crack in that wall.
GPU sandbox escapes have become a recurring theme in browser security. In 2022, a similar chain in Chrome's WebGPU code was exploited in the wild. The GPU process is attractive to attackers because it has direct access to memory and drivers that can be twisted to defeat address space layout randomization (ASLR) or other mitigations. Even a simple memory read can leak the map needed to craft a follow-up attack.
Microsoft's involvement is no coincidence. The company has been one of Chrome's most active external reporters, uncovering dozens of high-impact bugs. Its researchers use fuzzing tools and manual code review to probe Chromium's sandbox boundaries, and findings like CVE-2026-6920 get fed back into both Chrome and Edge. That cross-vendor collaboration means a Chrome bug is often an Edge bug, and a fix for one becomes a fix for the other.
What To Do Now
Update Chrome on Android immediately. The single most effective step is to install version 147.0.7727.117 from Google Play. Do not wait for an automatic update that may be delayed by staged rollout.
Update all Chromium-based browsers on Windows and Mac. Launch Microsoft Edge, go to the three-dot menu, select Help and Feedback > About Microsoft Edge, and let it download the latest update. For Brave and others, repeat the process.
Verify the version. On Android Chrome, the About screen is under Settings > About Chrome. On Edge, it's at edge://settings/help. The exact build number should match or exceed the patched version: 147.0.7727.117 for Chrome, and a corresponding recent build for Edge (Edge versions don't map directly to Chrome's, but the latest stable channel ensures you're protected).
For IT admins, audit your Android fleet. Query managed devices for Chrome version. If your EMM reports version 147.0.7727.116 as "no longer vulnerable," override that finding—the official threshold is .117. Apply compliance policies that block access to corporate resources until the browser is updated.
Watch for exploit attempts. While there's no public exploit code yet, advanced attackers may already be working on chaining this bug. Browser compromise on mobile is harder to detect than on desktop, so unusual battery drain, crashes, or unexpected redirects could be signs of trouble. For high-risk users (executives, journalists, activists), consider a mobile threat defense solution that monitors browser integrity.
Outlook
Expect the public technical details to emerge within weeks, once the majority of users have patched. At that point, the risk of copycat attacks will spike, especially if a proof-of-concept surfaces. Google will likely ship a similar fix for Chrome on other platforms in a routine stable channel update—the Android-specific notation in this CVE may simply reflect the initial scope of the report, not the full impact.
Microsoft's advisory confirms that Edge is already patched, but other Chromium derivatives may lag. IT teams should monitor release feeds from Brave, Vivaldi, and Opera and push updates as soon as they ship. For consumers, the lesson is simple but urgent: the browser is the most attacked piece of software on your device, and its updates are not optional. Checking for updates today takes less than a minute; the alternative could cost far more.