Google Chrome suffers from a HTMLKeygenElement::shadowSelect() type confusion vulnerability.