CRITICAL🇵🇱 Wersja polska

CVE-2025-6179

CVSS 9.8v3.1pub. 2025-06-16upd. 2025-07-02

Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.

🤖 AI Analysis
How it works

The error classified as CWE-276 (incorrect default permissions) concerns the extension management mechanism in ChromeOS on managed devices. An attacker with local access to the device can exploit this vulnerability using ExtHang3r and ExtPrint3r tools. As a result, it is possible to disable extensions enforced by corporate policy and unlock Developer Mode, which opens the way for loading additional unauthorized extensions.

Impact

An attacker can disable security extensions enforced by the administrator, gain access to developer mode, and load their own potentially malicious extensions — which can lead to violations of confidentiality, integrity, and availability of data on the device.

Mitigation & patch

Patches available from the vendor should be applied according to references. It is recommended to monitor updates in Google Issue Tracker (issues.chromium.org/issues/b/399652193) and promptly implement the patched version of ChromeOS once released by Google.

Who is affected

Google ChromeOS version 16181.27.0 on managed Chrome devices.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chrome Os

    OS
    Google
    16181.27.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2016-4171CRITICAL9.8⚠ KEVten sam produkt

Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbi...

CVE-2016-1019CRITICAL9.8⚠ KEVten sam produkt

Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...

CVE-2014-0497CRITICAL9.8⚠ KEVten sam produkt

Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Wind...

CVE-2019-13690CRITICAL9.6ten sam produkt

Inappropriate implementation in OS in Google Chrome on ChromeOS prior to 75.0.3770.80 allowed a remote attacke...

CVE-2022-2587CRITICAL9.8ten sam produkt

Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a ...