Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.
AnalysisAI
Critical permissions bypass vulnerability in Google Chrome OS 16181.27.0 that allows local attackers to disable extensions and gain unauthorized access to Developer Mode on managed Chrome devices. The vulnerability is exploited using the ExtHang3r and ExtPrint3r tools to load arbitrary extensions, affecting enterprise-managed deployments with a CVSS score of 9.8 (critical severity). Active exploitation status and proof-of-concept availability should be verified through CISA KEV and security advisories.
Technical ContextAI
This vulnerability exploits improper access control in Chrome OS's extension management subsystem (CWE-276: Incorrect Default Permissions). The ExtHang3r and ExtPrint3r tools leverage weaknesses in the extension permission validation framework, specifically in how Chrome OS enforces extension policies on managed devices. The affected component is Chrome OS version 16181.27.0, which fails to properly validate user privileges before allowing extension disablement and Developer Mode access. The root cause is insufficient authorization checks in the extension management API, allowing local processes to bypass policy enforcement mechanisms that should restrict these operations to administrators or verified system processes. This is particularly severe on managed Chrome devices where extension policies are centrally enforced through enterprise policies.
RemediationAI
Immediate actions: (1) Apply Chrome OS security updates beyond version 16181.27.0 - verify patch version from Google Chrome OS releases and LTSB branches. (2) For managed devices, enforce extension policies via admin console: disable extension installation, block Developer Mode access, and enforce policy enforcement. (3) Implement network segmentation to restrict local attack vectors and reduce lateral movement potential. (4) Monitor for suspicious extension installation attempts and Developer Mode activations using Chrome Device Management logs. (5) Temporarily disable or restrict user access to affected Chrome OS 16181.27.0 devices until patches are applied. Patch availability should be confirmed at https://chromereleases.googleblog.com/ and applied to all managed Chrome device fleet. Consider mandatory enrollment in Chrome OS auto-update to prevent version stalling.
Out-of-Bounds Read in netfilter/ipset in Linux Kernel ChromeOS [6.1, 5.15, 5.10, 5.4, 4.19] allows a local attacker with
A race condition Use-After-Free vulnerability exists in the virtio_transport_space_update function within the Kernel 5.4
Out-of-Bounds Read in Virglrenderer in ChromeOS 16093.57.0 allows a malicious guest VM to achieve arbitrary address acce
The Imagination Technologies driver for Chrome OS before R74-11895.B, R75 before R75-12105.B, and R76 before R76-12208.0
Mesa, as used in Google Chrome before 21.0.1183.0 on the Acer AC700, Cr-48, and Samsung Series 5 and 5 550 Chromebook pl
Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and
The boot implementation in Google Chrome OS before 33.0.1750.152 does not properly consider file persistence, which allo
ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 15823.23.0 on Chromebooks allows enrolled users
Use-after-free vulnerability in the O3D plug-in in Google Chrome OS before 26.0.1410.57 allows remote attackers to cause
Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.27 on the Acer AC700, Samsung Series 5, and Cr-48
The GPU process in Google Chrome OS before 25.0.1364.173 allows attackers to cause a denial of service or possibly have
Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.60 on the Acer AC700, Samsung Series 5, and Cr-48
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18417