skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 8, 2021

GHSL-2020-165: Use-after-free (UaF) in Chrome PaymentAppServiceBridge - CVE-2020-16045

Man Yue Mo

Coordinated Disclosure Timeline


UaF in PaymentAppServiceBridge



Tested Version

Pixel 3a XL emulator on Android 10 with master branch commit dc7770f


The PaymentAppServiceBridge stores a raw pointer to the RenderFrameHostImpl that is used to create the corresponding PaymentRequest in javascript [1].

This pointer is then used in a number of places, for example, it is used to create an InternalAuthenticator [2], in which the render_frame_host_ is also passed to the InternalAuthenticator as a raw pointer. When InternalAuthenticator is destroyed, it also makes a virtual function call on this raw render_frame_host_ [3].

As the lifespan of the InternalAuthenticator that holds this raw RenderFrameHost is tied to a callback [4], which eventually ended up in a callback queue in the Java code [5], by creating a large amount of paymentRequest in an iframe in javascript and then destroy the frame while these callbacks are still waiting in a queue, it is possible to cause a UaF.




Use-after-free in browser that requires a compromised renderer, which could result in a sandbox escape. The bug discovered originally only affected beta version of Chrome, although further investigation discovered other crashes that affected stable, which are most likely to be null pointer dereferences.


This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).


You can contact the GHSL team at, please include the GHSL-2020-165 in any communication regarding this issue.