Critical Vulnerability Information Vulnerability Overview Vulnerability Type: Heap-use-after-free Target Function: Vulnerability Details UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.0 Safari/537.36 Reproduction Steps: 1. On Windows NT 10.0; Win64; x64 environment. 2. Use to check commit . 3. Apply and launch Chrome with specific startup flags: Analysis Root Cause: Same as Issue #1240593. - The function is called on a worker thread and uses to pass the object. - When the worker thread terminates, the object is freed. - There exists a subtle race condition: when the delegate itself is being dereferenced, the worker thread may not have terminated yet, causing the delegate object to potentially be freed while still being accessed by subsequent member operations. Status and Classification Status: Fixed Priority: P1 Severity: S2 Classification Tags: - external_security_report - Security_Impact-Extended - reward-inprocess - CVE_description-submitted Tags: Arch-x86_64, allpublic, Via-Wizard-Security, FoundIn-96