There is a use-after-free on Chrome for Android when fetching credit card details to autofill. This vulnerability does require the victim have credit card details saved by Chrome.

It all centralizes around the Java class InternalAuthenticator a method is called on this class (which one depends on the action being performed) that will store a callback to the native internal authenticator as a Java lambda. this native internal authenticator will normally hold a shared reference to the Java InternalAuthenticator and destroy it when it is destroyed. The problem is that the Java lambda will also hold a reference to the InternalAuthenticator.

So even once the native authenticator has been freed and the Java lambda will be keeping the InternalAuthenicator alive with its pointer to the native internal one pointing to a freed object. When the callback is finally invoked, a use-after-free occures.