Brash Vulnerability Can Crash Chromium Browsers in Seconds
I'll analyze your article as both an editor and cybersecurity journalist, then provide a rewritten version.
Editorial Assessment:
Grammar: Strong overall, with minor issues:
- "Information security researcher" could be simply "Security researcher"
- "The core of the problem is that" – slightly wordy
- "A single click on a specially crafted link is enough" – passive construction could be more direct
Structure: Good technical flow, but needs improvement:
- Opens well with the vulnerability announcement
- Technical explanation is clear but slightly dense
- Timeline of disclosure feels buried
- Impact section could come earlier
- Missing context about why this matters beyond technical details
Flow: Generally logical progression from discovery to technical details to response, but some sections feel disconnected. The three-stage attack explanation is excellent, but transitions could be smoother.
Rewritten Article:
Brash Vulnerability Can Crash Chromium Browsers in Seconds
Security researcher Jose Pino has discovered a serious vulnerability in the Blink engine that can crash most Chromium-based browsers within 15 to 60 seconds—or even cause complete system freezes. He's named the flaw "Brash" and published a proof-of-concept exploit to force attention to the issue after Google failed to respond to his initial report.
The vulnerability affects Chromium versions starting from 143.0.7483.0, putting millions of users at risk across multiple browsers including Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, and others.
How Brash Works
The problem stems from an architectural oversight in how Blink handles the document.title API. Unlike other browser operations, Blink places no limits on how rapidly this API can refresh, allowing attackers to trigger millions of DOM mutations per second.
"This allows crashing any Chromium browser in 15-60 seconds due to an architectural error in managing certain DOM operations," Pino explains.
The attack unfolds in three stages:
1. Preparation Phase: The attacker loads 100 unique hexadecimal strings into memory, each 512 characters long. These strings become the rotating values for the browser tab title.
2. Injection Phase: The malicious code executes rapid-fire document.title updates—three in succession. Using default settings (burst: 8000, interval: 1 millisecond), this generates approximately 24 million updates per second.
3. Main Thread Overload Phase: The continuous title updates overwhelm the browser's main thread. The interface becomes unresponsive, tabs freeze, and the browser process consumes nearly all available CPU resources. Eventually, users must forcibly terminate the browser.
The Logic Bomb Threat
Beyond simple crashes, Brash presents another danger: timed activation. An attacker can embed Brash code in a webpage and configure it to trigger at a specific moment, essentially creating a logic bomb. A single click on a crafted link is all it takes—the malicious script can then execute whenever the attacker chooses, potentially during critical moments like online transactions or important presentations.
Which Browsers Are Affected?
Pino tested his exploit on 11 popular browsers across Android, macOS, Windows, and Linux. Nine proved vulnerable:
- Microsoft Edge
- Brave
- Opera
- Vivaldi
- Arc Browser
- Dia Browser
- OpenAI ChatGPT Atlas
- Perplexity Comet
- (And standard Chromium)
Only Firefox and Safari resisted the attack, as they use different rendering engines—Gecko and WebKit, respectively. All iOS browsers are also protected because Apple requires every browser on iOS to use WebKit, regardless of branding.
A Disclosure Timeline Problem
Pino reported the vulnerability to the Chromium security team in August 2025. After receiving no response from developers, he chose to publish information about Brash and release the proof-of-concept exploit to force action on the issue.
This decision highlights an ongoing debate in the security community: when is it appropriate to publicly disclose vulnerabilities that vendors ignore? Pino clearly felt that months without acknowledgment justified public disclosure.
Developer Responses
Following publication of Pino's research, Google representatives told media outlets they are investigating the issue—a standard response that offers no timeline or commitment.
Brave developers acknowledged that their browser doesn't have custom logic for document.title and said they'll implement a fix once it becomes available in upstream Chromium. Other affected browser makers have remained silent.
Pino notes that because of the numerous custom modifications different vendors make to Chromium, patches may need individual implementation for each product. This could mean users of some browsers remain vulnerable even after Google patches the core issue.
Protecting Yourself Now
Until patches arrive, users have limited options for protection:
- Avoid clicking suspicious links
- Close browser tabs immediately at the first sign of freezing or unresponsiveness
- Consider temporarily switching to Firefox or Safari for sensitive activities
- Keep your browser updated to catch the fix as soon as it's released
Per Pino, the proper technical solution requires Chromium developers to implement rate limiting on document.title refreshes and better resource consumption management within Blink.
The Bigger Picture
The Brash vulnerability exposes how a seemingly minor API—changing a browser tab's title—can become a serious security issue when proper limits aren't enforced. It also demonstrates the challenge of securing software that multiple vendors modify and redistribute: even after Google patches Chromium, dozens of derivative browsers will need to adopt those fixes.
For the millions of users relying on Chromium-based browsers, this serves as a reminder that browser diversity matters. Firefox and Safari's immunity to this attack stems directly from their different rendering engines—a practical argument against browser engine monoculture.
The situation also raises questions about responsible disclosure practices. Pino's decision to publish after months of silence from Google may accelerate a fix, but it also gives attackers a ready-made exploit. Whether this was the right call depends largely on whether Google now prioritizes a patch they previously ignored.
