CVE-2025-1704: ComponentInstaller Vulnerability Allowing Chromebook Unenrollment and Potential Device Management Key Interception in ChromeOS

Description

ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks allows enrolled users with local access to unenroll devices
and intercept device management requests via loading components from the unencrypted stateful partition.

Classification

CVE ID: CVE-2025-1704

Problem Types

Use-After-Free (UAF)

Affected Products

Vendor: Google

Product: ChromeOS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.81% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1704
https://issuetracker.google.com/issues/359915523
https://issues.chromium.org/issues/b/359915523

Timeline

2025-04-17 00:40:22 UTC
CVE

ComponentInstaller Vulnerability Allowing Chromebook Unenrollment and Potential Device Management Key Interception in ChromeOS