Security researcher Jose Pino has discovered a security vulnerability in all Chromium-based browsers that are based on Chromium versions up to 143.0.7483.0, which includes Chrome, Edge, and Opera, but also Vivaldi, Arc, and Brave. In other words, most PCs on the planet are affected by the vulnerability, which Pino has named Brash because Chrome and Chromium-based browsers dominate desktops and mobile devices.
The Brash vulnerability exists in Blink, the rendering engine of Google’s Chromium. According to Pino, the vulnerability “allows any Chromium browser to collapse in 15 to 60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.”
Pino continues (bolded text is his emphasis):
“The attack vector originates from the complete absence of rate limiting on
document.titleAPI updates. This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse. The impact is significant, it consumes high CPU resources, degrades overall system performance, and can halt or slow down other processes running simultaneously. By affecting Chromium browsers on desktop, Android, and embedded environments, this vulnerability exposes over 3 billion people on the internet to system-level denial of service.”
We were able to recreate the vulnerability in Chrome, causing our browser to freeze and stop responding. In our case, the whole thing ended harmlessly—we simply closed Chrome and our operating system remained undamaged. However, in the real world, a browser that’s frozen this way could paralyze the entire computer.
You can test the vulnerability yourself by navigating to brash.run in any Chromium-based browser. Firefox and Safari are safe and show no consequences when accessing the web page in question.
Pino has published detailed documentation on Brash on this GitHub page. Google has not yet released a patch for the vulnerability and the company is still investigating the case.