Chrome LinkToTextMenuObserver::CompleteWithError Heap Use-After-Free

Posted by deepcore on September 17, 2022 – 3:36 am

A use-after-free issue exists in Chrome 104 and earlier versions. Processing maliciously crafted web content may lead to arbitrary code execution in the browser process. LinkToTextMenuObserver holds a raw pointer to a RenderFrameHost object, but is not owned by the frame host and does not watch for frame host destruction events. Therefore, if an attacker manages to destroy the frame host right after the observer is created but before the timeout task posted in StartLinkGenerationRequestWithTimeout() is executed, use-after-free will occur.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Rocket LMS 1.6 SQL Injection https://www.cntpeo.go.th/o.htm »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Chrome LinkToTextMenuObserver::CompleteWithError Heap Use-After-Free

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL