Architectural flaw in Chromium Blink engine enables crashing of all Chromium based browsers just by visiting a web page
Take action: All Chromium based browsers (Chrome, Edge, Vivaldi, Opera, Brave...) are vulnerable to being crashed by just visiting a web page. And there is no fix. So be extremely careful clicking unknown links, ideally use Firefox or Safari since they are not vulnerable, and keep up with updates for Chromium based browsers.
Learn More
Security researcher Jose Pino is reporting a critical architectural flaw in the Blink rendering engine that powers Chromium-based browsers, exposing all Chromium based browser users to denial-of-service attacks.
The vulnerability, dubbed "Brash," allows malicious actors to completely crash Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, Perplexity Comet, and other Chromium-based browsers within 15 to 60 seconds through simple code injection techniques. This flaw is caused by complete absence of rate limiting on the document.title API, a web technology responsible for updating browser tab titles, enabling attackers to overwhelm browser main threads and trigger unrecoverable system collapse. The vulnerability currently affects all Chromium versions on desktop, Android, and embedded environments. There is no official patch available as of October 30, 2025.
Pino initially reported the vulnerability to Google's Chromium security team on August 28, 2025, and sent a follow-up notification on August 30, 2025, but received no response or acknowledgment from the vendor. After waiting two months without any communication from Google regarding the severity or timeline for remediation, the researcher made the decision to publicly disclose the vulnerability on October 29, 2025, publishing detailed technical documentation on GitHub and creating a live proof-of-concept demonstration at brash.run.
Pino believes that public awareness is necessary when responsible disclosure fails to produce timely mitigation, particularly for vulnerabilities affecting such a massive global user base.
Pino tested major browsers on macOS, Windows, Linux, and Android platforms to validate the exploit's effectiveness.
- Chrome crashes within 15 to 30 seconds, Microsoft Edge collapses in 15 to 25 seconds
- Opera requires approximately 60 seconds for complete termination
- Vivaldi fails within 20 to 35 seconds
- Brave is a bit more resilient, lasting 30 to 125 seconds,
- Arc Browser, Dia Browser, ChatGPT Atlas, and Perplexity Comet all fails within the 15 to 60 second window.
- Mozilla Firefox and Apple Safari are completely immune to the attack because they utilize different rendering engines which do not share Chromium's architectural vulnerability.
- All third-party browsers on iOS are immune to Brash due to Apple's mandatory policy requiring all iOS browsers to use WebKit as their rendering engine.
Users of Chromium browsers should be very careful when opening unknown links, especially those that are too good to be true or imply urgency. Also switching to Firefox/Waterfox browsers for unknown links is a good idea.
Google has acknowledged that it is investigating the issue but has not provided any timeline for when a security patch will be released. A spokesperson for Brave browser confirmed that the company does not implement custom behavior around document.title and will implement fixes when provided by the upstream Chromium project.
