This security hole can crash billions of Chromium browsers, and Google hasn’t patched it yet
Summary
Researcher Jose Pino published a proof-of-concept called “Brash” that abuses an architectural flaw in Chromium’s Blink rendering engine to trigger a denial-of-service by hammering document.title updates. The exploit floods the main thread with millions of DOM mutations per second, freezing tabs, crashing browsers within seconds, and in some tests locking up the host system and using dozens of gigabytes of RAM.
The issue affects Chromium 143.0.7483.0 and later and works on many major Chromium-based browsers (Chrome, Edge, Brave, Vivaldi, Arc, Opera, Perplexity Comet, ChatGPT Atlas and others). Browsers using other engines (Firefox/Gecko, Safari/WebKit and iOS browsers) are not affected. Pino says he disclosed the flaw to the Chromium team in late August but got no timely fix, so he published the PoC to draw attention to the problem.
Key Points
- Vulnerability: absence of throttling on document.title API updates in Blink allows millions of DOM mutations per second.
- Exploit: PoC named “Brash” demonstrates crashing of Chromium-based browsers in 15–60 seconds; some tests froze the host and consumed ~18GB RAM in a single tab.
- Scope: Affects Chromium builds 143.0.7483.0+ and many browsers derived from Chromium; billions of users potentially impacted given Chrome’s market share.
- Platforms: Confirmed on Android, macOS, Windows and Linux; iOS-based browsers (WebKit) and Firefox are immune.
- Disclosure timeline: Researcher reported the bug to Chromium end of August; reports say responses were slow or absent, prompting public release of PoC.
- Mitigation: No vendor patch available at time of reporting — avoid untrusted pages, close suspicious tabs, and use non-Chromium browsers where feasible until fixes arrive.
- Impact: Denial-of-service (crash/host freeze) — not a data-exfiltration or ransomware vector, but can cause data loss if work in tabs is unsaved.
Context and relevance
This is a high-impact reliability and security flaw because it exploits a very common API and an architectural omission (no rate limiting). With Chromium at the core of many mainstream browsers and services (including some AI-built browsers), a simple client-side script could disrupt large numbers of users or targeted systems quickly. For IT teams and security ops, it highlights the risk of relying on upstream components and the need for rapid patching and mitigations across the browser ecosystem.
Why should I read this?
Yes, you should. If you run Chromium-based browsers (which most people and many organisations do), this is the sort of bug that can suddenly trash a user’s session or even freeze a machine. Read this so you know the risk, can warn colleagues, and take quick steps (close suspicious tabs, use alternative browsers, patch when available).