Ethical Hacking News
A critical vulnerability in Chromium's Blink rendering engine can crash billions of web browsers worldwide within seconds, causing a denial-of-service condition. With Google yet to release a fix, the global internet is left vulnerable to exploitation.
A critical vulnerability has been discovered in Chromium's Blink rendering engine. The bug, dubbed "Brash" by security researcher Jose Pino, can be exploited to crash billions of Chromium-based browsers worldwide within seconds. The Brash vulnerability is an architectural flaw that allows injecting millions of DOM mutations per second, causing a denial-of-service condition. The vulnerability affects Chromium versions 143.0.7483.0 and later, with Google yet to release a fix.
A critical vulnerability has been discovered in Chromium, the rendering engine used by Google Chrome and many other popular web browsers. The bug, dubbed "Brash" by security researcher Jose Pino, can be exploited to crash billions of Chromium-based browsers worldwide within seconds, causing a denial-of-service condition that may freeze or lock up the host system.
The Brash vulnerability is an architectural flaw in Blink, the rendering engine used by Chromium-based browsers. According to Pino, the attack vector originates from the complete absence of rate limiting on document.title API updates. This allows injecting millions of DOM mutations per second, which saturates the main thread, disrupting the event loop and causing the interface to collapse.
In a test conducted by The Register, Edge was affected, crashing the browser and locking up the Windows-based machine after about 30 seconds, while sucking down 18 GB of RAM into one tab. The vulnerability affects Chromium versions 143.0.7483.0 and later.
Pino first disclosed the issue to the Chromium security team on August 28 but did not receive a response. He published his proof-of-concept exploit, Brash, to "draw attention to a severe issue affecting broad internet users after my initial report went unanswered." Pino believes that public awareness is necessary when responsible disclosure does not produce timely mitigation.
The Brash vulnerability has significant implications for the billions of people worldwide who use Chromium-based browsers. Chrome alone accounts for over 70% market share, and its customization by companies may lead to a more complex fix. The Register reached out to the companies behind all nine affected browsers - Chrome, Edge, Vivaldi, Arc, Dia, Opera, Perplexity Comet, ChatGPT Atlas, and Brave - but only Brave responded, stating that they would implement the fix when provided by Chromium.
It is worth noting that Firefox (Gecko engine) and Safari (WebKit engine), which use different rendering engines, were immune to the attack. Additionally, browsers running on iOS, which also use WebKit, were not affected.
Google has pushed an emergency patch for Chrome 0-day, but it's unclear when this fix will be available for other Chromium-based browsers.
A critical vulnerability in Chromium's Blink rendering engine can crash billions of web browsers worldwide within seconds, causing a denial-of-service condition. With Google yet to release a fix, the global internet is left vulnerable to exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-Exposed-A-Global-Chrome-Browser-Crisis-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/10/29/brash_dos_attack_crashes_chromium/
Published: Wed Oct 29 16:28:28 2025 by llama3.2 3B Q4_K_M
