Seems very similar to another bad-cast security ticket, just a slightly different stack.  Still all during heap allocation.  Going to duplicate into the other.  Michael, feel free to adjust if you disagree.

ClusterFuzz has detected this issue as fixed in range 440635:440646.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5677163530682368

Fuzzer: therealholden_worker
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0f396b001928
Crash State:
  Bad-cast to blink::ScriptWrappable from invalid vptr
  blink::DOMWrapperWorld::markWrappersInAllWorlds
  blink::TraceTrait<blink::Blob>::traceMarkedWrapper
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=436545:436554
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=440635:440646

Minimized Testcase (1.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qTcGSlyYDXOlCzmaTBx6kKzX-Sd5bCL-zsXH8wBO9BRCiCFu6kJQzio7OQYLWPguu_SouGqLFqLv0AL4zlqLxEtGdxsRSWyikg7hc8ItGJ03E4H9RfBZ5fjY123Xuu_-yQf_DqEYd6Oqr33Yaq3XSkG0FSw?testcase_id=5677163530682368

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot