A serious vulnerability in the Blink engine can disable many Chromium-based browsers in a matter of seconds or even trigger a crash of the entire system. Security researcher Jose Pino dubbed the issue Brash and released a PoC exploit for it.
The crux of the issue is that Blink doesn’t throttle the update frequency of the document.title API, which makes it possible to generate millions of DOM mutations per second. As a result, this can cause the browser to terminate abruptly and degrade system performance, since the process hogs nearly all CPU resources.
“This allows you to crash any Chromium-based browser within 15–60 seconds due to an architectural flaw in how certain DOM operations are handled,” Pino explains.
The attack on the Brash vulnerability unfolds in three stages.
- Preparation phase: the attacker loads 100 unique hexadecimal strings, 512 characters each, into memory. These serve as the basis for cyclic changes of the tab title.
- Injection phase: series of document.title updates (three in a row) are performed, which with the default configuration (burst: 8000, interval: 1 ms) yields roughly 24 million updates per second.
- Main thread overload phase: continuous updates saturate the browser’s main thread, causing the UI to stop responding, tabs to hang, and the process to require forced termination.
The researcher writes that a particular danger of Brash lies in its ability to be triggered at a precise time. Brash can be hidden in code and set to execute at a predetermined moment, turning the exploit into a logic bomb. A single click on a specially crafted link is enough — and the malicious script will fire when it’s most advantageous for the attacker.
The issue affects Chromium versions starting from 143.0.7483.0. Pino tested his PoC exploit on 11 popular browsers for Android, macOS, Windows, and Linux: nine of them were vulnerable (including Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet).
Only Firefox and Safari proved resistant to such attacks: they use different engines (Gecko and WebKit). All iOS browsers are also protected, due to the mandatory requirement to use WebKit.
The expert notified the Chromium security team about the bug back in August 2025 but never received a response from the developers. As a result, Pino published details of the vulnerability and a PoC exploit to draw attention to the issue.
The researcher warns that due to the numerous custom modifications of Chromium, patches may have to be applied individually to each product.
After the researcher’s report was published, Google representatives told the media that they are looking into the issue. For their part, the Brave developers noted that their browser has no custom logic around document.title and will implement a fix when it appears in Chromium. The creators of other browsers have not commented on the situation yet.
For now, the only protection against Brash attacks is caution: users are advised not to follow suspicious links and to immediately close browser tabs at the first signs of freezing.
Pino writes that the technical fix for this issue, which should be implemented by the Chromium developers (and teams behind products built on it), should involve limiting the update frequency of document.title and managing resource consumption in Blink.