CVE-2025-6179 | Permissions Bypass in Extension Management in Google ChromeO… | CVSS 9.8 CRITICAL

Description

Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.

Metadata

CVE ID: CVE-2025-6179
State: PUBLISHED
Assigner: ChromeOS
Reserved: 2025-06-16 16:50 UTC
Published: 2025-06-16 16:56 UTC
Last updated: 2025-06-17 14:01 UTC
Primary CWE: CWE-276
CWE-276 Incorrect Default Permissions
Vendor / Product: Google / ChromeOS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Google	ChromeOS	—	16181.27.0

Weakness (CWE)

CWE	Source	Description
—	cna	Permissions Bypass / Privilege Escalation
CWE-276	adp	CWE-276 Incorrect Default Permissions

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)