Skip to main content

Chrome Os CVE-2025-6177

| EUVDEUVD-2025-18418 HIGH
Improper Privilege Management (CWE-269)
2025-06-16 7f6e188d-c52a-4a19-8674-3c3fa7d1fc7f
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18418
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 17:15 nvd
HIGH 7.4

DescriptionCVE.org

Privilege Escalation in MiniOS in Google ChromeOS (16063.45.2 and potentially others) on enrolled devices allows a local attacker to gain root code execution via exploiting a debug shell (VT3 console) accessible through specific key combinations during developer mode entry and MiniOS access, even when developer mode is blocked by device policy or Firmware Write Protect (FWMP).

AnalysisAI

Local privilege escalation vulnerability in Google ChromeOS MiniOS that allows unauthenticated attackers to achieve root code execution by exploiting an accessible debug shell (VT3 console) through specific key combinations during developer mode entry, circumventing device policy restrictions and Firmware Write Protect mechanisms. This vulnerability affects ChromeOS version 16063.45.2 and potentially other versions on enrolled devices, with a CVSS score of 7.4 indicating high severity. The attack requires local access and specific technical knowledge of key sequences, but no user interaction is needed once device access is obtained.

Technical ContextAI

The vulnerability resides in Google ChromeOS MiniOS, a minimal operating system environment used during the boot sequence and recovery operations on ChromeOS devices. The root cause is classified under CWE-269 (Improper Access Control / Uncontrolled Resource Consumption), indicating inadequate privilege validation and access restrictions on the VT3 debug console. The VT3 console is a debugging interface that should be restricted but remains accessible through specific key combinations even when developer mode is disabled by device policy or Firmware Write Protect (FWMP). Affected CPE would be: cpe:2.3:o:google:chrome_os:16063.45.2:*:*:*:*:*:*:* and potentially cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:* for broader version ranges. The vulnerability exploits improper access control to a privileged debug interface, allowing escalation from local unprivileged context to root.

RemediationAI

Patch and Mitigation Strategies: (1) Primary Remediation: Update to ChromeOS version beyond 16063.45.2 (specific patched version not provided in source data - check Google ChromeOS release notes and security advisories for the patched version); (2) Interim Mitigations for unpatched systems: Enforce strict physical security controls to prevent unauthorized local access to devices; (3) Ensure Firmware Write Protect (FWMP) and developer mode restrictions remain enabled (note: these do not block the vulnerability but are part of defense-in-depth); (4) Monitor ChromeOS devices for unauthorized MiniOS or boot sequence access attempts; (5) Review device enrollment and MDM policies to restrict local access to enrolled devices; (6) Deploy Google ChromeOS security updates through your MDM solution as they become available. Administrators should check Google's official ChromeOS security page and their device management console for patch availability and deployment status.

CVE-2025-6179 CRITICAL POC
9.8 Jun 16

Critical permissions bypass vulnerability in Google Chrome OS 16181.27.0 that allows local attackers to disable extensio

CVE-2025-2073 HIGH POC
8.8 Apr 16

Out-of-Bounds Read in netfilter/ipset in Linux Kernel ChromeOS [6.1, 5.15, 5.10, 5.4, 4.19] allows a local attacker with

CVE-2025-1290 HIGH POC
8.1 Apr 17

A race condition Use-After-Free vulnerability exists in the virtio_transport_space_update function within the Kernel 5.4

CVE-2025-2509 HIGH POC
7.8 May 06

Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 allows a malicious guest VM to achieve arbitrary address acce

CVE-2019-16508 HIGH POC
7.8 Oct 01

The Imagination Technologies driver for Chrome OS before R74-11895.B, R75 before R75-12105.B, and R76 before R76-12208.0

CVE-2012-2864 CRITICAL
10.0 Aug 22

Mesa, as used in Google Chrome before 21.0.1183.0 on the Acer AC700, Cr-48, and Samsung Series 5 and 5 550 Chromebook pl

CVE-2014-3188 CRITICAL
10.0 Oct 08

Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and

CVE-2014-1708 CRITICAL
10.0 Mar 16

The boot implementation in Google Chrome OS before 33.0.1750.152 does not properly consider file persistence, which allo

CVE-2025-1704 MEDIUM POC
6.5 Apr 16

ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 15823.23.0 on Chromebooks allows enrolled users

CVE-2013-2833 CRITICAL
10.0 Apr 16

Use-after-free vulnerability in the O3D plug-in in Google Chrome OS before 26.0.1410.57 allows remote attackers to cause

CVE-2012-0695 CRITICAL
10.0 Jan 12

Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.27 on the Acer AC700, Samsung Series 5, and Cr-48

CVE-2013-0915 CRITICAL
10.0 Mar 18

The GPU process in Google Chrome OS before 25.0.1364.173 allows attackers to cause a denial of service or possibly have

Share

CVE-2025-6177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy