Critical Vulnerability Information Vulnerability Type: Security Issue (UaF - Use-after-free) Description: holds a raw pointer to . If continues to use after it has been destroyed, this leads to a UaF vulnerability. Issue Details: - In , there is a check: if , it indicates that the is still alive. - If a new master request is initiated, in , the master URL is inserted into . - In , if the master URL is encountered for the first time and not yet fetched, a new request is initiated, but it is not yet fetched or scheduled. - checks whether the URL has been set by . If yes, it returns the existing entry; otherwise, it does not create a cache entry. 世 If the master URL request returns 404, although the completion count is incremented in , no cache entry is created. If the same URL is added again, is incremented again, leading to the UaF issue. Impact: Causes browser crash, without requiring renderer compromise. Affected Versions: Chrome 46 stable and above. Operating Systems: All operating systems. Priority: P0 Severity: S0 CVE ID: 2015-6765 Fix Status: Fixed Reproduction Steps: Extract . Run and navigate to .