Primary

Context

Google ChromeOS DNS Leak Vulnerability in Native VPN

Vulnerability

Patched

A DNS leak vulnerability has been identified in Google ChromeOS Dev Channel, specifically in version 16002.23.0. This issue arises within the native system VPN, where DNS traffic is not properly tunneled during VPN state transitions. As a result, plaintext DNS queries can be exposed to network observers.

Impact

The vulnerability leads to unencrypted DNS queries being sent outside the VPN tunnel, allowing for potential interception and monitoring of DNS traffic.

Reproduction

The vulnerability can be reproduced by installing the WireGuard VPN app on a ChromeOS device, importing configuration files, and enabling the VPN connection. After setting the VPN to 'always-on' with 'block connections without VPN', DNS traffic leaks can be observed using a network monitoring tool, such as tcpdump.

Remediation

Users can update to the latest version of Google ChromeOS, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Google ChromeOS DNS Leak Vulnerability in Native VPN

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Google ChromeOS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating