WebKit contains a use-after-free error in the 'SubframeLoader::loadSubframe' function in WebCore/loader/SubframeLoader.cpp when handling mutation events during sub-frame loading where the main frame is removed. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Check the vendor advisory, changelog, or solution in the references section for details.

Upgrade to Google Chrome version 17.0.963.56 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1027307
• CVE ID: 2011-3021 (see also: NVD)
• Secunia Advisory ID: 48016 48059 48866 50058 50586 50618
• Related OSVDB ID: 79283 79284 79285 79286 79287 79288 79290 79291 79292 79293 79294 79295
• Vendor Specific News/Changelog Entry: http://googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html
  http://security.gentoo.org/glsa/glsa-201202-01.xml
  http://www.srware.net/forum/viewtopic.php?f=18&t=3521
  https://bugs.webkit.org/show_bug.cgi?id=77345 [ Auth Req'd ]
• Mail List Post: http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
• Vendor Specific Advisory URL: http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html
  http://support.apple.com/kb/HT5400
  http://support.apple.com/kb/HT5503
  https://code.google.com/p/chromium/issues/detail?id=111779
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/106818

• Arthur Gerkis