Chrome heap-use-after-free in ForceSigninVerifier (CVE-2021-37997)

```md # Critical Vulnerability Information ## Vulnerability Details - **Issue ID**: 40057601 - **Title**: Security: heap-use-after-free in ForceSigninVerifier::SendRequestIfNetworkAvailable - **Description**: This vulnerability is similar to https://crbug.com/chromium/1238268. The root cause is that NetworkConnectionTracker continues to receive Mojo calls and executes callbacks related to already-deallocated objects after all critical services have been destroyed, without using weakptr. - **Priority**: P1 - **Severity**: S1 ## Root Cause Analysis 1. When ChromeSigninClient::VerifySyncToken is called, a ForceSigninVerifier instance is created. 2. A callback is created and stored in NetworkConnectionTracker::connection_type_callbacks_. When ForceSigninVerifier initializes, it invokes SendRequest. ## Fix Status - **Status**: Fixed - **Fixer**: dr...@chromium.org ## Related Links - [Issue Details](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/signin/chrome_signin_client.cc;drc=e5a38eddbdf45d7563a0dfda0b915303679820955e586ff43900d19debd1b8b03af1bb66c95fl58;l=282) - [Additional Code](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/signin/force_signin_verifier.cc;drc=2d4200591db661a81a1d878cfd278b061c7bc8a1;l=54) - [Network Connection Tracker Code](https://source.chromium.org/chromium/chromium/src/+/main:services/network/public/cpp/network_connection_tracker.cc;drc=3d7d70920a92c08f6a16597f9f44bb28ac98d9a4;l=83) ## Additional Information - **Reporter**: yu...@gmail.com - **CVE ID**: 2021-37997 ```

Goal Reached Thanks to every supporter — we hit 100%!

Chrome heap-use-after-free in ForceSigninVerifier (CVE-2021-37997)