Use-after-free vulnerability in the Document::finishedParsing function in core/dom/Document.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via an onload event that changes an IFRAME element so that its src attribute is no longer an XML document, leading to unintended garbage collection of this document.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Chrome | * | 29.0.1547.56 (including) | |
Chrome | 29.0.1547.0 (including) | 29.0.1547.0 (including) | |
Chrome | 29.0.1547.1 (including) | 29.0.1547.1 (including) | |
Chrome | 29.0.1547.2 (including) | 29.0.1547.2 (including) | |
Chrome | 29.0.1547.3 (including) | 29.0.1547.3 (including) | |
Chrome | 29.0.1547.4 (including) | 29.0.1547.4 (including) | |
Chrome | 29.0.1547.5 (including) | 29.0.1547.5 (including) | |
Chrome | 29.0.1547.7 (including) | 29.0.1547.7 (including) | |
Chrome | 29.0.1547.8 (including) | 29.0.1547.8 (including) | |
Chrome | 29.0.1547.9 (including) | 29.0.1547.9 (including) | |
Chrome | 29.0.1547.10 (including) | 29.0.1547.10 (including) | |
Chrome | 29.0.1547.11 (including) | 29.0.1547.11 (including) | |
Chrome | 29.0.1547.12 (including) | 29.0.1547.12 (including) | |
Chrome | 29.0.1547.13 (including) | 29.0.1547.13 (including) | |
Chrome | 29.0.1547.14 (including) | 29.0.1547.14 (including) | |
Chrome | 29.0.1547.15 (including) | 29.0.1547.15 (including) | |
Chrome | 29.0.1547.16 (including) | 29.0.1547.16 (including) | |
Chrome | 29.0.1547.17 (including) | 29.0.1547.17 (including) | |
Chrome | 29.0.1547.18 (including) | 29.0.1547.18 (including) | |
Chrome | 29.0.1547.19 (including) | 29.0.1547.19 (including) | |
Chrome | 29.0.1547.20 (including) | 29.0.1547.20 (including) | |
Chrome | 29.0.1547.21 (including) | 29.0.1547.21 (including) | |
Chrome | 29.0.1547.22 (including) | 29.0.1547.22 (including) | |
Chrome | 29.0.1547.23 (including) | 29.0.1547.23 (including) | |
Chrome | 29.0.1547.27 (including) | 29.0.1547.27 (including) | |
Chrome | 29.0.1547.28 (including) | 29.0.1547.28 (including) | |
Chrome | 29.0.1547.29 (including) | 29.0.1547.29 (including) | |
Chrome | 29.0.1547.30 (including) | 29.0.1547.30 (including) | |
Chrome | 29.0.1547.31 (including) | 29.0.1547.31 (including) | |
Chrome | 29.0.1547.32 (including) | 29.0.1547.32 (including) | |
Chrome | 29.0.1547.33 (including) | 29.0.1547.33 (including) | |
Chrome | 29.0.1547.34 (including) | 29.0.1547.34 (including) | |
Chrome | 29.0.1547.35 (including) | 29.0.1547.35 (including) | |
Chrome | 29.0.1547.36 (including) | 29.0.1547.36 (including) | |
Chrome | 29.0.1547.37 (including) | 29.0.1547.37 (including) | |
Chrome | 29.0.1547.38 (including) | 29.0.1547.38 (including) | |
Chrome | 29.0.1547.39 (including) | 29.0.1547.39 (including) | |
Chrome | 29.0.1547.40 (including) | 29.0.1547.40 (including) | |
Chrome | 29.0.1547.41 (including) | 29.0.1547.41 (including) | |
Chrome | 29.0.1547.42 (including) | 29.0.1547.42 (including) | |
Chrome | 29.0.1547.45 (including) | 29.0.1547.45 (including) | |
Chrome | 29.0.1547.46 (including) | 29.0.1547.46 (including) | |
Chrome | 29.0.1547.47 (including) | 29.0.1547.47 (including) | |
Chrome | 29.0.1547.48 (including) | 29.0.1547.48 (including) | |
Chrome | 29.0.1547.49 (including) | 29.0.1547.49 (including) | |
Chrome | 29.0.1547.50 (including) | 29.0.1547.50 (including) | |
Chrome | 29.0.1547.51 (including) | 29.0.1547.51 (including) | |
Chrome | 29.0.1547.52 (including) | 29.0.1547.52 (including) | |
Chrome | 29.0.1547.53 (including) | 29.0.1547.53 (including) | |
Chrome | 29.0.1547.54 (including) | 29.0.1547.54 (including) | |
Chrome | 29.0.1547.55 (including) | 29.0.1547.55 (including) | |
Chromium-browser | Ubuntu | lucid | * |
Chromium-browser | Ubuntu | precise | * |
Chromium-browser | Ubuntu | quantal | * |
Chromium-browser | Ubuntu | raring | * |
Chromium-browser | Ubuntu | upstream | * |