{“lastseen”:”2025-10-30T14:46:24″,”description”:”\\n\\nA severe vulnerability disclosed in Chromium’s Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds.\\n\\nSecurity researcher Jose Pino, who disclosed details of the flaw, has codenamed it **Brash**.\\n\\n\\”It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed,\\” Pino said in a technical breakdown of the shortcoming.\\n\\nAt its core, Brash stems from the lack of rate limiting on \\”document.title\\” API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process.\\n\\n\\n\\nThe attack plays out in three steps -\\n\\n * Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes per interval so as to maximize the impact of the attack\\n * Burst injection phase, where bursts of three consecutive document.title updates are executed, injecting approximately 24 million updates per second in default configuration (burst: 8000, interval: 1ms)\\n * UI thread saturation phase, where the continuous stream of updates saturates the browser’s main thread, causing it to go unresponsive and requiring forced termination\\n\\n\\n\\n\\”A critical feature that amplifies Brash’s danger is its ability to be programmed to execute at specific moments,\\” Pino said. \\”An attacker can inject the code with a temporal trigger, remaining dormant until a predetermined exact time.\\”\\n\\n\\”This kinetic timing capability transforms Brash from a disruption tool into a temporal precision weapon, where the attacker controls not only the ‘what’ and ‘where,’ but also the ‘when’ with millisecond accuracy.\\”\\n\\n\\n\\nThis also means that the attack can act like a logic bomb that’s configured to detonate at a specific time or after a certain amount of time has elapsed, all while evading initial inspection or detection. In a hypothetical attack scenario, all it would take is a click of a specially crafted URL to trigger the behavior, leading to unintended consequences.\\n\\nThe vulnerability works on Google Chrome and all web browsers that run on Chromium, which includes Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.\\n\\nThe Hacker News has reached out to Google for further comment on the findings and its plans for a fix, and we will update the story if we hear back.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-10-30T14:45:00″,”modified”:”2025-10-30T14:45:50″,”type”:”thn”,”title”:”New \\”Brash\\” Exploit Crashes Chromium Browsers Instantly with a Single Malicious URL”,”source”:””,”references”:””,”id”:”THN:EA3012F040FE3A2AC90645B00F2D6BC8″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/10\/new-brash-exploit-crashes-chromium.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-30T14:46:24″,”description”:”\\n\\nA severe vulnerability disclosed in Chromium’s Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds.\\n\\nSecurity researcher Jose Pino, who…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-24080","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n