CVE-2014-1722

Vulnerability

A use-after-free vulnerability exists in the RenderBlock::addChildIgnoringAnonymousColumnBlocks function within core/rendering/RenderBlock.cpp in the Blink rendering engine, as used in Google Chrome before version 34.0.1847.116. The flaw is triggered by specific sequences of DOM manipulation that involve adding a child node, leading to a dangling pointer reference. [1][2]

Exploitation

An attacker can exploit this vulnerability by crafting a web page that, when rendered by a vulnerable version of Chrome, triggers the use-after-free condition. The attack requires no special network position beyond serving the malicious page to a user, and no authentication is needed. The user must visit the crafted page, at which point the sequence of child node additions triggers the bug. [1][2]

Impact

Successful exploitation could allow a remote attacker to cause a denial of service (browser crash) or potentially execute arbitrary code with the privileges of the browser process. The Gentoo security advisory lists potential execution of arbitrary code as a possible outcome, though the original description is less specific. [1]

Mitigation

The vulnerability is fixed in Google Chrome version 34.0.1847.116. Users should upgrade to this version or later. For Gentoo Linux users, the fix is included in Chromium version 37.0.2062.94, available via the emerge command. No known workaround is available. [1][2]