Google Chrome and Chromium Portals Use-After-Free Vulnerability Allowing Sandbox Escape

A use-after-free vulnerability has been identified in the Portals feature of Google Chrome and Chromium, prior to version 94.0.4606.61. This vulnerability allows a remote attacker who has compromised the renderer process to potentially escape the sandbox by using a crafted HTML page. The issue arises because the renderer can manipulate frame-bound Mojo interfaces, bypassing normal security restrictions.

Impact

Exploitation of this vulnerability could lead to a sandbox escape, allowing a compromised renderer process to execute arbitrary code in the browser's main process.

Reproduction

The vulnerability can be reproduced by applying a specific renderer patch that enables the exploitation of the use-after-free condition. After applying the patch, loading a particular HTML file that triggers the vulnerability will cause the browser process to experience a use-after-free error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to Google Chrome version 94.0.4606.61 or later to address this vulnerability. Instructions for updating Chrome can be found on the official Google Chrome website. For Fedora users, the update is available through the DNF package manager.