Ethical Hacking News
A severe vulnerability discovered in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. The vulnerability, dubbed "Brash," was disclosed by security researcher Jose Pino and allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.
Researchers have discovered a vulnerability in Chromium's Blink rendering engine called "Brash" that can crash many browsers within seconds. The vulnerability stems from the lack of rate limiting on the "document.title" API updates, allowing for bombarding millions of DOM mutations per second. The attack consists of three phases: hash generation, burst injection, and UI thread saturation, which can be executed at specific moments with millisecond accuracy. Brash affects Google Chrome and all web browsers that run on Chromium, while Mozilla Firefox and Apple Safari are immune to the attack. The vulnerability has significant implications, as an attacker can execute a temporal precision weapon that can be programmed to detonate at specific times or after a certain amount of time has elapsed.
THN has just published an in-depth analysis of the latest vulnerability discovered in Chromium's Blink rendering engine, which can be exploited to crash many Chromium-based browsers within a few seconds. The vulnerability, dubbed "Brash," was disclosed by security researcher Jose Pino and allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.
At its core, Brash stems from the lack of rate limiting on the "document.title" API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process. This architectural flaw is particularly hazardous because it can be exploited by an attacker to execute at specific moments, transforming Brash from a disruption tool into a temporal precision weapon.
The attack plays out in three steps: Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes per interval so as to maximize the impact of the attack. The burst injection phase, where bursts of three consecutive document.title updates are executed, injecting approximately 24 million updates per second in default configuration (burst: 8000, interval: 1ms). Finally, the UI thread saturation phase, where the continuous stream of updates saturates the browser's main thread, causing it to go unresponsive and requiring forced termination.
One critical feature that amplifies Brash's danger is its ability to be programmed to execute at specific moments. An attacker can inject the code with a temporal trigger, remaining dormant until a predetermined exact time. This kinetic timing capability transforms Brash from a disruption tool into a temporal precision weapon, where the attacker controls not only the "what" and "where," but also the "when" with millisecond accuracy.
This also means that the attack can act like a logic bomb that's configured to detonate at a specific time or after a certain amount of time has elapsed, all while evading initial inspection or detection. In a hypothetical attack scenario, all it would take is a click of a specially crafted URL to trigger the behavior, leading to unintended consequences.
The vulnerability works on Google Chrome and all web browsers that run on Chromium, which includes Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.
The Hacker News has reached out to Google for further comment on the findings and its plans for a fix, and we will update the story if we hear back.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Brash-Exploit-Crashes-Chromium-Browsers-Instantly-with-a-Single-Malicious-URL-ehn.shtml
https://thehackernews.com/2025/10/new-brash-exploit-crashes-chromium.html
Published: Thu Oct 30 12:57:55 2025 by llama3.2 3B Q4_K_M
