Google Chrome Profiles Use-After-Free Vulnerability Allowing Heap Corruption

A use-after-free vulnerability has been identified in the Profiles component of Google Chrome, affecting versions prior to 134.0.6998.35. This vulnerability allows an attacker to exploit heap corruption by convincing a user to install a malicious extension and then directing them to a crafted HTML page. The issue arises from improper management of object lifetimes, which can be exploited through the Chrome extension system or by manipulating the DevTools console.

Impact

Exploitation of this vulnerability can lead to memory corruption, with potential consequences such as arbitrary code execution or causing the browser to crash.

Reproduction

The vulnerability can be reproduced by applying a specific patch that facilitates the exploitation process. After applying the patch, the 'Chromium Profile Management' window can be opened. Once the window is active, a new tab can be created and navigated to 'chrome://profile-picker'. There, the 'continueWithoutAccount' command can be sent via the DevTools console, which triggers the use-after-free condition by closing the profile picker before the profile creation process is completed. This exploitation can also be automated through a Chrome extension that interacts with the profile management UI.

Remediation

Users should update to Google Chrome version 134.0.6998.35 or later, where this vulnerability has been fixed.