--- Vulnerability Information Reporter: ha...@gmail.com Vulnerability Type: Vulnerability Priority: P0 Severity: S0 Status: Fixed Vulnerability Description Issue Description: There is a circular deque that stores a raw pointer to . The function may delete the object and return . However, after deletion, the is not removed from the deque of pending permission requests. This leads to undefined behavior (UAF) when 's deletes the object. Reproduction Steps: 1. Run command: 2. Run command: 3. Launch Chromium with an HTML file Key Code Snippet: Additional Information Labels: Fixed, Vulnerability, P0, Needs-Triage-M109, external_security_report, Needs-Feedback, Security_Impact-Extended, CVE_description-submitted, reward-inprocess Check-in Author: tu...@chromium.org Component: Chromium > UI > Browser > Permissions > Prompts Issue ID: 40063055