A newly discovered flaw called Brash has put the world’s most popular web browsers at risk, with Chrome, Edge, Opera, Brave, Vivaldi, and Arc all affected. The vulnerability, found by researcher Jose Pino, impacts all Chromium-based browsers running on versions up to 143.0.7483.0 and stems from a weakness in Blink, Chromium’s core rendering engine. This flaw allows attackers to exploit the way DOM operations are managed, forcing browsers to freeze or crash after only seconds of exposure. Given Chromium’s global dominance, the issue could impact more than three billion users, marking one of the widest-reaching browser vulnerabilities in recent memory.
Pino’s analysis reveals that Brash takes advantage of the document.title API, which lacks rate limiting. This oversight enables attackers to inject millions of DOM mutations per second, overloading the browser’s main thread and consuming significant CPU resources. The overload prevents the browser from handling events properly, eventually locking up the interface and affecting the overall system’s responsiveness. While the attack doesn’t corrupt files or cause data loss, its potential to paralyze entire systems is alarming—especially for users multitasking or working on resource-intensive applications.
Independent tests have confirmed that the vulnerability can be triggered by simply visiting a test page like brash.run, which causes Chromium browsers to stop responding, while non-Chromium browsers like Firefox and Safari remain unaffected. Pino has shared full documentation of the issue on GitHub, ensuring security experts and developers can study and mitigate the threat. At present, Google has not issued a patch, but the company is investigating and expected to act swiftly to protect users. Until a fix is deployed, experts recommend using alternative browsers or limiting exposure to unknown web content.