A newly discovered flaw in Chromium-based browsers has exposed over 3 billion users to a serious crash vulnerability. The bug, named “Brash,” can cause browsers like Google Chrome, Microsoft Edge, Brave, Opera, and Vivaldi to completely collapse within seconds of visiting a malicious website.
The issue was discovered by security researcher Jose Pino (jofpin), who found the flaw in Blink, the rendering engine that powers all Chromium browsers. According to him, the vulnerability can trigger a complete system-level denial of service in as little as 15 to 60 seconds, depending on the browser and device.
The core of the problem lies in how the Document Object Model (DOM) operations are handled inside Blink. DOM is the structure that browsers use to manage and render web elements, allowing JavaScript to update content dynamically.
The Brash bug takes advantage of a design flaw in the “document.title” API, which does not limit how often the page title can be updated. This missing safeguard allows an attacker to inject millions of DOM mutations per second, overwhelming the browser’s main thread and eventually forcing it to crash.
During this process, the CPU usage spikes sharply, draining system resources and even slowing down or freezing other programs running simultaneously. This can potentially lead to data loss or temporary system instability.
Pino tested 11 different Chromium-based browsers, and all of them crashed during the experiment. Most browsers failed within 15–30 seconds, while Brave managed to stay stable for slightly longer (up to 125 seconds). Firefox, Safari, and iOS browsers were not affected, as they use different rendering engines.
The proof-of-concept (PoC) code loads hundreds of long text strings into memory and repeatedly updates the page title at extreme speeds, roughly 24 million updates per second. This overload eventually halts the browser’s ability to process other events, leading to a complete crash.
Pino also created a live demo at brash.run, which shows how the exploit works. However, he warns that visiting the page can crash Chrome and similar browsers instantly, and it should only be used in isolated, secure environments for testing purposes.
While Brash may appear to be a simple crash bug, its potential impact could be much broader. Since attackers can trigger the vulnerability remotely, it could be weaponized to disrupt critical systems or services at key moments.
The most effective way to prevent the Brash bug is by introducing rate limiting to APIs like document.title, which are not currently throttled by design. This would prevent excessive updates from overwhelming the browser’s main thread.
As of now, no official patch has been released. Pino said he reported the issue to Google’s Chromium Security Team on August 28, 2025, and followed up two days later but received no immediate response. Google has since confirmed that it is investigating the vulnerability.
