CVE-2025-1566: DNS Leak Vulnerability in ChromeOS Android Subsystem VPN Implementation Due to Unstable WireGuard Integration

Description

DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 129.0.6668.36 allows network observers to expose plaintext DNS queries via failure to properly tunnel DNS traffic during VPN state transitions.

Classification

CVE ID: CVE-2025-1566

Problem Types

Network Security Isolation (NSI)

Affected Products

Vendor: Google

Product: ChromeOS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.88% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1566
https://issuetracker.google.com/issues/342802975
https://issues.chromium.org/issues/b/342802975

Timeline

2025-04-17 00:40:22 UTC
CVE

DNS Leak Vulnerability in ChromeOS Android Subsystem VPN Implementation Due to Unstable WireGuard Integration