Google Chrome WebRTC addIceCandidate use after free vulnerability

We discussed this vulnerability as part of our weekly podcast on 24 November 2021

A use-after-free in AddIceCandidate() for adding Interactive Connection Establishment candidates when starting a WebRTC session. The problem is, it’s possible to setup a Promise that can call setLocalDescription(), which will mark part of the local description memory for collection by the garbage collector. That memory is used by the AddIceCandidate() function. Therefore, if you can trigger garbage collection after the promise runs but before AddIceCandidate() executes, you can trigger a use-after-free which can be taken to code execution.