CVE-2016-1644

Vulnerability

A use-after-free vulnerability exists in WebKit/Source/core/layout/LayoutObject.cpp within the Blink rendering engine, as used in Google Chrome prior to version 49.0.2623.87. The flaw arises because the SubtreeLayoutScope::setNeedsLayout() and setChildNeedsLayout() functions do not properly restrict relayout scheduling, allowing markContainerChainForLayout() to schedule a relayout even when a SubtreeLayoutScope is active. This can lead to a use-after-free condition when processing a crafted HTML document [1].

Exploitation

An attacker can exploit this vulnerability by convincing a user to visit a specially crafted HTML document. No authentication or special network position is required; the attack is remote. The crafted HTML triggers the flawed relayout scheduling path, causing the use-after-free [2].

Impact

Successful exploitation results in a use-after-free, which can cause a denial of service via renderer crash or potentially allow arbitrary code execution within the sandboxed render process. The impact is limited to the renderer sandbox, but could be combined with other vulnerabilities for full system compromise [2].

Mitigation

The vulnerability is fixed in Google Chrome version 49.0.2623.87 and later. Users should update their browser to the latest version. For Ubuntu systems, the fix is included in the oxide-qt package update provided by USN-2920-1 [2]. No workarounds are documented.