There are 3 methods where ContainerNode::removeBetween is invoked:
The calls in #1 and #3 are within the scope of HTMLFrameOwnerElement::UpdateSuspendScope, but #2 is unprotected. Thus, if the parser removes a plugin node with an associated widget (plugins may take a while to load, but it’s easy to handle with the document. write, where the timing of the parser actions can be arbitrarily controlled), updates fired during the detachment can corrupt the DOM tree.
Chrome 46.0.2490.86 (Stable)
Chrome 47.0.2526.69 (Beta)
Chrome 48.0.2564.10 (Dev)
Chromium 49.0.2572.0 + Pepper Flash (Release build compiled today)
Attachment: CVE-2016-1630