Exploit Crashes Chromium Browsers

One naughty URL, and your Chromium browser keels over

A bug in Chromium’s Blink engine, dubbed Brash, can crash Chromium-based browsers within seconds via a crafted URL. The issue abuses the lack of rate-limiting on document.title updates, flooding the DOM with millions of mutations per second. The three-stage attack—hash preparation, burst injection, UI thread saturation—freezes the browser and can degrade system performance. Firefox and Safari are immune; Chrome, Edge, Brave, Opera, Vivaldi, Arc, and even AI browsers like ChatGPT Atlas and Perplexity Comet are affected. Google has been contacted for a fix.

Security researcher José Pino unveiled Brash—a quirk in Chromium’s Blink engine that lets a single URL crash many Chromium browsers in 15–60 seconds. How? By spamming document.title changes so aggressively that the DOM update queue overwhelms the UI thread. No zero-day wizardry, just volume.

The attack runs in three acts: preloading long strings for speed, burst-injection of title updates (tens of millions per second), and final thread saturation that leaves the browser unresponsive. It can even be timed like a logic bomb to trigger on schedule. The result: your tabs freeze, CPU spikes, and productivity takes a tea break.

Who’s affected? Chrome, Edge, Brave, Opera, Vivaldi, Arc, and newer AI browsers (ChatGPT Atlas, Perplexity Comet). Firefox and Safari shrug it off. Google’s been notified; fixes are pending.

What to do now:
• Treat unknown links like suspicious mushrooms—don’t click.
• Consider tab isolation tools and process limits on managed devices.
• For high-risk environments, use defence-in-depth browsers or profiles until patches land.

It’s a denial-of-service, not remote code execution—annoying rather than cataclysmic—but it’s a reminder that performance quirks can be weaponised.