“Brash” flaw in Chromium’s Blink engine lets attackers crash browsers instantly via a single malicious URL, researcher Jose Pino revealed.
Security researcher Jose Pino found a severe vulnerability, named Brash, in Chromium’s Blink rendering engine that can be exploited to crash many Chromium-based browsers within a few seconds.
“Brash is a critical vulnerability in Blink, the rendering engine that powers Google’s Chromium-based browsers. It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.” wrote Pino.
The Brash exploit abuses the lack of rate limiting in the document.title API to flood browsers with millions of DOM updates per second, overloading the main thread and crashing Chromium-based browsers. It causes severe CPU spikes, freezes, and system slowdowns across desktop, Android, and embedded devices. The vulnerability potentially impacts over 3 billion users globally.
The attack runs in three phases. First, the attacker preloads 100 unique 512-char hex strings in memory to avoid CPU pauses and maximize update throughput. Second, a burst injector issues rapid triple-updates (default burst: 8000, 1ms interval), achieving ~24 million title writes per second. Third, continuous injections saturate the UI/main thread: within seconds CPU soars, tabs freeze, the page becomes unresponsive and the browser soon collapses or requires forced termination.
It works because Blink processes each title change synchronously on the main thread with no rate limiting, blocking the event loop, filling memory with long strings, thrashing the compositor and rendering pipeline, and preventing user input or other event processing.
The researchers tested the Brash exploit against 11 major browsers on macOS, Windows, and Linux:
All Chromium-based browsers are vulnerable because the flaw exists in the core of the Blink rendering engine:
- Chrome — crashes in 15-30 seconds
- Edge — crashes in 15-25 seconds
- Vivaldi — crashes in 15-30 seconds
- Arc Browser — crashes in 15-30 seconds
- Dia Browser — crashes in 15-30 seconds
- Opera — crashes in ~60 seconds
- Perplexity Comet — crashes in 15-35 seconds
- ChatGPT Atlas — crashes in 15-60 seconds
- Brave — crashes in 30-125 seconds
Not Vulnerable (Using Other Engines)
- Firefox (Gecko engine) — immune to the attack
- Safari (WebKit engine) — immune to the attack
- iOS browsers (all use WebKit) — immune to the attack due to Apple’s mandatory policy requiring all iOS browsers to use WebKit as their rendering engine, making Chromium-based browsers impossible on iOS
“Brash” can be weaponized with severe consequences, from economic damage to threats to human safety. Attackers can program it to trigger at precise times, remaining dormant until a scheduled moment to maximize impact.
“A critical feature that amplifies Brash‘s danger is its ability to be programmed to execute at specific moments. An attacker can inject the code with a temporal trigger, remaining dormant until a predetermined exact time.” Pino added.
“This kinetic timing capability transforms Brash from a disruption tool into a temporal precision weapon, where the attacker controls not only the “what” and “where,” but also the “when” with millisecond accuracy.”
Pino explained that an attacker can inject Brash into websites that AI agents and headless browsers (Chromium/Puppeteer) routinely crawl. When agents visit those pages, the headless browser can collapse, halting analysis pipelines and blocking automated trading, price monitoring, SEO crawls, customer‑support lookups and compliance scans. Simultaneous failures across many agents cause timeouts, stalled decisions, economic losses, high recovery costs, and expose critical dependence on automated systems.
“The creation of Brash is an effort to demonstrate what happens when basic protections are absent in the web technologies we use daily. The vulnerability doesn’t lie in complex code or advanced techniques, but in the fundamental lack of rate limiting on an API that should be throttled by design.” concludes the expert. “The impact of Brash on over 3 billion Chromium browser users demonstrates that architectural flaws in core components like Blink have massive and global consequences. This is not an isolated bug—it’s a design flaw that affects the entire Chromium ecosystem.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Brash exploit)
