Chrome Use-After-Free Vulnerabilities Exploited in the Wild

Google Chrome has faced a series of high-profile security incidents involving Use-After-Free (UAF) vulnerabilities, several of which have been actively exploited in the wild. 

These flaws, rooted in improper memory management, have become a persistent threat vector for attackers seeking to bypass browser sandboxing and execute arbitrary code on victims’ machines.

A UAF vulnerability occurs when a program continues to use a pointer after the memory it references has already been freed. 

This can allow attackers to manipulate what resides at that memory location, potentially leading to data leakage, code execution, or denial of service. 

In Chrome, UAFs have historically been a major source of critical security bugs, particularly within the browser process, which has direct access to sensitive user data and system resources.

Chrome UAF vulnerabilities

CVE-2024-4671: Discovered in Chrome’s Visuals component, responsible for rendering page content. Attackers could exploit this flaw by enticing users to visit malicious web pages, potentially leading to arbitrary code execution. 

Google responded by releasing urgent patches and withholding technical details to prevent further exploitation.

CVE-2025-2476: A critical UAF in Chrome’s Lens component, affecting all platforms except iOS. 

This vulnerability allows remote attackers to exploit heap corruption via crafted HTML, bypassing Chrome’s defenses and potentially taking over the browser session.

CVE-2025-2783: A high-severity bug in the Mojo IPC libraries on Windows, enabling attackers to bypass Chrome’s sandbox protections. 

This flaw has been linked to targeted espionage campaigns.

A typical exploitation technique involves heap spraying, where attackers fill memory with controlled data before triggering the UAF, aiming to overwrite virtual function tables (vTables) and hijack program control flow.

According to the SSD Secure Disclosure technical team, a UAF could be triggered by manipulating asynchronous callbacks and destroying objects before their tasks are executed in Chrome’s Password Manager, for instance. 

Proof-of-concept code demonstrates how attackers could create and quickly remove browser windows to induce such conditions:

MiraclePtr and BackupRefPtr

To combat the constant stream of UAF vulnerabilities, Chrome has deployed MiraclePtr, a smart-pointer-like mechanism designed to make UAFs non-exploitable. 

The core of this protection is the BackupRefPtr (BRP) technique, which leverages Chrome’s custom heap allocator, PartitionAlloc. 

Each memory allocation is accompanied by a hidden reference counter:

• When an object is freed, if references remain, it is moved to a quarantine area rather than being immediately deallocated.
• The memory is filled with specific bit patterns (e.g., 0xcc) to prevent attackers from successfully reclaiming and exploiting the region.
• Only when the reference count drops to zero is the memory actually freed, ensuring no dangling pointers remain.

While MiraclePtr has significantly raised the bar for attackers, not all Chrome components are fully protected yet. Users are strongly urged to:

Update Chrome immediately to the latest version, as new patches are released to address these vulnerabilities. Be cautious when visiting untrusted websites and avoid interacting with suspicious browser features until updates are applied.

Organizations should monitor their environments for outdated Chrome versions and deploy mitigations promptly. As Chrome continues to harden its memory management, UAF vulnerabilities remain a critical focus for defenders and attackers alike. 

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.