Thursday, October 30, 2025
Latest:

Threatshub.org sponsored-Post

The Register

This security hole can crash billions of Chromium browsers, and Google hasn’t patched it yet

TH Author

Exclusive A critical, currently unpatched bug in Chromium’s Blink rendering engine can be abused to crash many Chromium-based browsers within seconds, causing a denial-of-service condition – and, in some tests, freezing the host system.

Security researcher Jose Pino found the flaw, and created a proof-of-concept exploit, Brash, to demonstrate the vulnerability affecting billions of people worldwide. 

Chrome is the most popular browser in the world with over 70% market share, according to StatCounter, and that’s not counting all the people who use any of the open source Chromium-based browsers, including Microsoft Edge, OpenAI’s ChatGPT Atlas, Brave, and Vivaldi. Given the ITU counts 5.5 billion internet users, that suggests Chrome alone is used by more than 3 billion people.

Brash exploits an architectural flaw in Blink, the rendering engine used by Chromium-based browsers. After testing the PoC on 11 major browsers on Android, macOS, Windows, and Linux, Pino found it works on nine of them, causing those browsers to collapse in 15 to 60 seconds. It affects Chromium versions 143.0.7483.0 and later.

“The attack vector originates from the complete absence of rate limiting on document.title API updates,” Pino said in research published on GitHub. “This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse.”

The Register tested the code on Edge, and not only did it crash the browser, but it also locked up the Windows-based machine after about 30 seconds, and sucked down 18 GB of RAM into one tab.

Pino spoke with The Register exclusively about the bug, and said he initially disclosed it to the Chromium security team on August 28, and followed up on August 30, but didn’t receive a response.

“The problem is more serious than it seems, since each company that uses Chromium has customized functionalities, which leads me to believe that the fix must be independent for each one,” he told The Register.

The flaw is due to the absence of throttling on document.title updates, so it essentially takes advantage of the fact that Blink doesn’t limit resource consumption.

To show how the flaw is abused, Pino describes the attack in three phases. 

First, in the preparation phase, the attacker pre-loads into memory 100 unique hexadecimal strings of 512 characters. It’s “crucial” not to simply reuse strings because that reduces the attack’s effectiveness, Pino explained.

Next, the attack executes in bursts of three consecutive document.title updates. Pino used a default configuration (burst: 8000, interval: 1ms), which means about 24 million updates per second are attempted, thus causing the browser crash.

Then in the third stage, the continuous updates saturate the browser’s main thread, thus consuming massive amounts of compute and preventing it from processing other events. Between five and 10 seconds in, the browser’s tabs will freeze, between 10 and 15 seconds, it will collapse or show a “page unresponsive” dialog box, and between 15 and 60 seconds into the attack, Chromium-based browsers will require forced termination.

While this exploit won’t lead to ransomware, it will mess up your PC for a bit and could cause you to lose work if you have unsaved content in any of your tabs. Any web page could contain the malicious JavaScript code and it’s even possible crims could put it onto sites they attack.

The Register reached out to the companies behind all nine affected browsers – Chrome, Edge, Vivaldi, Arc, Dia, Opera, Perplexity Comet, ChatGPT Atlas, and Brave – and asked if they had plans to fix the flaw. Seven didn’t respond; Google told us it’s looking into the issue, and Brave told us it doesn’t have any custom behavior around document.title. “We will implement the fix when provided by Chromium,” a Brave spokesperson said.

Pino tested two browsers that use other rendering engines, Firefox (Gecko engine) and Safari (WebKit engine), and both were immune to the attack, as were all browsers running on iOS, which also use WebKit.

He decided to publish this PoC to “draw attention to a severe issue affecting broad internet users after my initial report two months ago went unanswered. I believe public awareness is necessary when responsible disclosure does not produce timely mitigation,” Pino said.®

READ MORE HERE