Chrome LinkToTextMenuObserver::CompleteWithError Heap Use-After-Free

A use-after-free issue exists in Chrome 104 and earlier versions. Processing maliciously crafted web content may lead to arbitrary code execution in the browser process. LinkToTextMenuObserver holds a raw pointer to a RenderFrameHost object, but is not owned by the frame host and does not watch for frame host destruction events. Therefore, if an attacker manages to destroy the frame host right after the observer is created but before the timeout task posted in StartLinkGenerationRequestWithTimeout() is executed, use-after-free will occur.


SHA-256 | 071c2f32b441a15bf0f0c6db3397a3899a646938aeb7df15abb5fc345c9589e8


Related Posts