diff --git a/patches/chromium/.patches b/patches/chromium/.patches
index d16a6063d2181..f385d4571368b 100644
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -100,5 +100,6 @@ move_readablestream_requests_onto_the_stack_before_iteration.patch
 streams_convert_state_dchecks_to_checks.patch
 audiocontext_haspendingactivity_unless_it_s_closed.patch
 protect_automatic_pull_handlers_with_mutex.patch
+speculative_fix_for_crashes_in_filechooserimpl.patch
 reland_sequentialise_access_to_callbacks_in.patch
 handle_err_cache_race_in_dodoneheadersaddtoentrycomplete.patch
diff --git a/patches/chromium/speculative_fix_for_crashes_in_filechooserimpl.patch b/patches/chromium/speculative_fix_for_crashes_in_filechooserimpl.patch
new file mode 100644
index 0000000000000..7e856a123e836
--- /dev/null
+++ b/patches/chromium/speculative_fix_for_crashes_in_filechooserimpl.patch
@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kent Tamura <tkent@chromium.org>
+Date: Tue, 25 Feb 2020 01:19:39 +0000
+Subject: Speculative fix for crashes in ~FileChooserImpl()
+
+FileChooserImpl can outlive ListenerProxy.  We should clear
+FileChooserImpl::proxy_ on ~ListenerProxy().
+
+This CL has no tests.  We don't know how to reproduce crashes.
+
+Bug: 1054260
+Change-Id: I2be7a8957f2f725c51081961357ef09f6dabb823
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2067819
+Commit-Queue: Kent Tamura <tkent@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: Matthew Denton <mpdenton@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#744142}
+
+diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc
+index a68e9246f5ec435becca41737cf73f6611970e88..e8b3b88be02cf45ea333b55b931676d80da826c8 100644
+--- a/content/browser/frame_host/render_frame_host_impl.cc
++++ b/content/browser/frame_host/render_frame_host_impl.cc
+@@ -675,6 +675,8 @@ class FileChooserImpl : public blink::mojom::FileChooser,
+     std::move(callback_).Run(nullptr);
+   }
+ 
++  void ResetProxy() { proxy_ = nullptr; }
++
+  private:
+   class ListenerProxy : public content::FileSelectListener {
+    public:
+@@ -685,6 +687,8 @@ class FileChooserImpl : public blink::mojom::FileChooser,
+           << "Should call either FileSelectListener::FileSelected() or "
+              "FileSelectListener::FileSelectionCanceled()";
+ #endif
++      if (owner_)
++        owner_->ResetProxy();
+     }
+     void ResetOwner() { owner_ = nullptr; }
+