Security researchers have discovered a critical architectural flaw in the Blink rendering engine that powers Chromium-based browsers, exposing over 3 billion users to denial-of-service attacks.
The vulnerability, called Brash, allows malicious actors to completely crash Chrome, Edge, Brave, Opera, and other Chromium browsers within 15 to 60 seconds through a simple code injection.
The attack exploits the complete absence of rate limiting on the document.title API, a fundamental web technology that updates the browser tab title.
By sending millions of title updates per second, attackers can overwhelm the browser’s main thread, saturate system resources, and trigger an unrecoverable collapse. The vulnerability is currently operational and affects Chromium versions 143.0.7483.0 and earlier.
How the Attack Works
The Brash exploit operates through three distinct phases. First, it pre-loads 100 unique hexadecimal strings into memory, avoiding the computational overhead of generating them during the attack. This maximises the speed and efficiency of the assault.
Next, the attack injects approximately 24 million document.title updates per second in configurable bursts.
Each burst performs three sequential title changes, creating a rendering pipeline nightmare that the browser cannot process.
The browser’s main thread becomes completely saturated, blocking the event loop and preventing user input processing.
Within seconds, the browser becomes frozen and unresponsive. After 5-10 seconds, the tab is impossible to close. By 10-15 seconds, users see the “Page Unresponsive” dialog.
Complete browser termination occurs within 15-60 seconds, depending on the browser variant and system specifications.
Testing across 11 major browsers confirmed that all Chromium-based browsers are vulnerable. Chrome crashes in 15-30 seconds, Edge in 15-25 seconds, and Opera in approximately 60 seconds, as reported in Github.
Firefox and Safari remain immune due to their different rendering engines, as do all iOS browsers thanks to Apple’s mandatory WebKit requirement.
The consequences are severe. The attack consumes extreme amounts of CPU resources, degrades overall system performance, and can halt or slow down other running processes.
On desktop computers, Android devices, and embedded systems, the impact is immediate and catastrophic.
Attackers can weaponise Brash using delayed or scheduled execution parameters, allowing them to inject the code days beforehand and trigger it at precise moments.
This capability enables coordinated attacks during critical windows: stock market opening, hospital shift changes, major e-commerce events, or live broadcasts.
The vulnerability poses genuine risks to critical infrastructure. Medical professionals using web-based surgical navigation systems could lose visualization during operations.
Financial institutions could experience trading platform collapses during peak market hours. AI-dependent automated systems and enterprise infrastructure relying on headless browser automation face complete disruption.
Users currently on affected Chromium versions should avoid clicking suspicious links promising leaked documents, urgent security alerts, or time-sensitive information.
Organisations should monitor for browser-based disruptions and maintain backups of critical systems.
The research community and Chromium developers are actively working on patches to implement proper rate limiting on DOM operations and prevent similar attacks in the future.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
