Brush exploit can cause any Chromium browser to collapse in 15-60 seconds

Brush exploit can cause any Chromium browser to collapse in 15-60 seconds

Brush exploit can cause any Chromium browser to collapse in 15-60 seconds

“Brash” flaw in Chromium’s Blink engine lets attackers crash browsers instantly via a single malicious URL, researcher Jose Pino revealed.

Security researcher Jose Pino found a severe vulnerability, named Brash, in Chromium’sBlinkrendering engine that can be exploited to crash many Chromium-based browsers within a few seconds.

Brashis a critical vulnerability inBlink, the rendering engine that powers Google’s Chromium-based browsers. It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.” wrote Pino.

The Brash exploit abuses the lack of rate limiting in the document.title API to flood browsers with millions of DOM updates per second, overloading the main thread and crashing Chromium-based browsers. It causes severe CPU spikes, freezes, and system slowdowns across desktop, Android, and embedded devices. The vulnerability potentially impacts over 3 billion users globally.

The attack runs in three phases. First, the attacker preloads 100 unique 512-char hex strings in memory to avoid CPU pauses and maximize update throughput. Second, a burst injector issues rapid triple-updates (default burst: 8000, 1ms interval), achieving ~24 million title writes per second. Third, continuous injections saturate the UI/main thread: within seconds CPU soars, tabs freeze, the page becomes unresponsive and the browser soon collapses or requires forced termination.
It works because Blink processes each title change synchronously on the main thread with no rate limiting, blocking the event loop, filling memory with long strings, thrashing the compositor and rendering pipeline, and preventing user input or other event processing.

The researchers tested the Brash exploit against 11 major browsers on macOS, Windows, and Linux:

Vulnerable (Chromium/Blink)

All Chromium-based browsers are vulnerable because the flaw exists in the core of the Blink rendering engine:

  • Chrome— crashes in 15-30 seconds
  • Edge— crashes in 15-25 seconds
  • Vivaldi— crashes in 15-30 seconds
  • Arc Browser— crashes in 15-30 seconds
  • Dia Browser— crashes in 15-30 seconds
  • Opera— crashes in ~60 seconds
  • Perplexity Comet— crashes in 15-35 seconds
  • ChatGPT Atlas— crashes in 15-60 seconds
  • Brave— crashes in 30-125 seconds

Not Vulnerable (Using Other Engines)

  • Firefox(Gecko engine) — immune to the attack
  • Safari(WebKit engine) — immune to the attack
  • iOS browsers(all use WebKit) — immune to the attack due to Apple’s mandatory policy requiring all iOS browsers to use WebKit as their rendering engine, making Chromium-based browsers impossible on iOS

“Brash” can be weaponized with severe consequences, from economic damage to threats to human safety. Attackers can program it to trigger at precise times, remaining dormant until a scheduled moment to maximize impact.

“A critical feature that amplifiesBrash‘s danger is its ability to be programmed to execute at specific moments. An attacker can inject the code with atemporal trigger, remaining dormant until a predetermined exact time.” Pino added.

“Thiskinetic timingcapability transformsBrashfrom a disruption tool into atemporal precision weapon, where the attacker controls not only the “what” and “where,” but also the“when”with millisecond accuracy.”

Pino explained that an attacker can inject Brash into websites that AI agents and headless browsers (Chromium/Puppeteer) routinely crawl. When agents visit those pages, the headless browser can collapse, halting analysis pipelines and blocking automated trading, price monitoring, SEO crawls, customer‑support lookups and compliance scans. Simultaneous failures across many agents cause timeouts, stalled decisions, economic losses, high recovery costs, and expose critical dependence on automated systems.

“The creation ofBrashis an effort to demonstrate what happens when basic protections are absent in the web technologies we use daily. The vulnerability doesn’t lie in complex code or advanced techniques, but in the fundamental lack of rate limiting on an API that should be throttled by design.” concludes the expert. “The impact ofBrashon over 3 billion Chromium browser users demonstrates that architectural flaws in core components like Blink have massive and global consequences. This is not an isolated bug—it’s a design flaw that affects the entire Chromium ecosystem.”

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,Brash exploit)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.