CVE-2020-16045: 
Google Chrome vulnerability analysis and mitigation

Use after Free (UaF) vulnerability in the Payments feature of Google Chrome on Android prior to version 87.0.4280.66 was discovered. The vulnerability, tracked as CVE-2020-16045, was reported by Man Yue Mo of GitHub Security Lab on September 7, 2020, and was fixed in the release of Chrome version 87 on November 17, 2020 (Chrome Release, GitHub Lab).

The vulnerability exists in the PaymentAppServiceBridge component where a raw pointer to the RenderFrameHostImpl is stored and used to create PaymentRequest in JavaScript. The issue occurs when this pointer is used to create an InternalAuthenticator, which also receives the render_frame_host_ as a raw pointer. When the InternalAuthenticator is destroyed, it makes a virtual function call on this raw render_frame_host_. The vulnerability can be triggered by creating multiple paymentRequests in an iframe and then destroying the frame while callbacks are still queued in the Java code (GitHub Lab). The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. The bug initially only affected the beta version of Chrome, though further investigation revealed additional crashes affecting the stable version, which were likely null pointer dereferences (GitHub Lab).

The vulnerability was patched in Google Chrome version 87.0.4280.66 for Android. Users should update to this version or later to mitigate the risk (Chrome Release).