There is a possibility of a use-after-free if the replication client closes the connection while the binlogrouter is sending large amounts of events to it.

This happens because of the code returns once a millisecond into the worker main loop to prevent thread monopolization but it does this without checking whether the session is still alive after it returns.