Chrome, Edge, Brave, Opera, and Vivaldi – all Chromium-based browsers – are currently vulnerable to a critical bug that allows attackers to crash the app in 15 to 60 seconds. All it takes is to open a malicious (or educational) website.
Security researcher Jose Pino (jofpin) has discovered a critical vulnerability in the Blink rendering engine, which powers Chromium-based browsers used by over three billion people worldwide.
The architectural flaw lies in how certain DOM (Document Object Model) operations are managed. Dubbed Brash, it collapses the browser in 15-60 seconds. DOM is a tree-like model of website elements that can be manipulated by JavaScript.
“By affecting Chromium browsers on desktop, Android, and embedded environments, this vulnerability exposes over three billion people on the internet to system-level denial of service,” the researcher said.
Hackers can easily exploit that. Just by visiting a maliciously crafted website, attackers can completely crash the user’s browser. The researcher even provided a live interactive demonstration on a website called brash.run.
Beware that it will crash Chrome browsers, and potentially other programs, and there is no patch yet.
The flaw exploitation loads the CPU, exhausting its resources and degrading overall system performance. The researcher warns that it can halt or slow down other processes running simultaneously, which can lead to potential data loss.
The conversation on this topic is live. Join in the discussion.
The proof of concept is provided for educational and security research purposes, and neither the author nor Cybernews is responsible for any damages, data loss, or legal consequences arising from the use or misuse of this PoC.
“By using Brash, you acknowledge understanding these risks and agree to use it only for legitimate security research in isolated environments,” the researcher said.
How does the attack work?
“The attack vector originates from the complete absence of rate limiting on ‘document.title’ API updates. This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse,” Pino explains on GitHub.
The researcher tested 11 major Chromium browsers and all crashed. Most browsers “survived” for 15-30 seconds, while Brave lasted longer, 30-125 seconds. Firefox, Safari, and iOS browsers using other engines are not affected by the flaw.
The researcher detailed how the flaw works and provided proof-of-concept code. It loads 100 unique 512-character-long strings to memory before the attack and then executes “configurable bursts of title updates.”
“It attempts to inject approximately 24 million updates per second, and it’s during this attempt that the browser collapse begins,” Pino said.
“Continuous updates saturate the browser's main thread, preventing the processing of other events.”
Threat actors might exploit this attack to strategically time crashes and disrupt critical services at key moments, such as the opening of Wall Street, hospital shift changes, the start of online sales, or peak air traffic times. Even AI agents might be manipulated into scraping and running the code during automated operations.
“Brash can be weaponized in multiple critical contexts with consequences ranging from economic losses to human life risk,” the researcher warns.
The vulnerability can be prevented by introducing a rate limiting on an API “that should be throttled by design.”
The report doesn’t mention if the flaw was disclosed to Google. However, Pino told The Register that he initially disclosed it to the Chromium security team on August 28th and followed up on August 30th, but didn't receive a response. Google told the publication that it’s looking into the issue.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked