Critical Blink Vulnerability Lets Attackers Crash Chromium-Based Browsers in Seconds

Security researchers have discovered a critical architectural flaw in the Blink rendering engine that powers Chromium-based browsers, exposing over 3 billion users worldwide to devastating denial-of-service attacks. The

The vulnerability, designated as Brash, allows malicious actors to completely incapacitate Chrome, Edge, Brave, Opera, and other Chromium variants within just 15 to 60 seconds through straightforward code injection techniques.

The attack exploits a fundamental design vulnerability: the complete absence of rate limiting on the document.title API, a basic web technology responsible for updating browser tab titles.

By flooding the browser with millions of title update requests per second, attackers systematically overwhelm the browser’s main thread, saturate system resources, and trigger an unrecoverable system collapse that renders the browser completely unusable.

How the Attack Works

The Brash exploit operates through three meticulously coordinated phases designed for maximum efficiency and impact.

Initially, the attack pre-loads 100 unique hexadecimal strings directly into memory, eliminating the computational overhead of generating them during active exploitation.

This optimization maximizes assault speed and resource efficiency exponentially.

The second phase injects approximately 24 million document.title updates per second in configurable bursts, with each burst performing three sequential title changes that create an insurmountable rendering pipeline bottleneck.

The browser’s primary thread becomes completely saturated, blocking the event loop and preventing legitimate user input processing entirely.

Within seconds, the browser freezes completely and becomes unresponsive to all user commands. After just 5-10 seconds of exploitation, users find the tab impossible to close manually.

By 10-15 seconds, the characteristic “Page Unresponsive” dialog appears across all Chromium variants.

Complete browser termination occurs within 15-60 seconds, depending on the specific browser implementation and underlying system specifications.

Browser-Specific Impact and Timeline

Comprehensive testing across 11 major browser platforms confirmed that all Chromium-based implementations remain vulnerable to this attack vector.

Google Chrome crashes in approximately 15-30 seconds, Microsoft Edge demonstrates a similar vulnerability with crashes occurring in 15-25 seconds, while Opera exhibits slower degradation at approximately 60 seconds.

Firefox and Safari remain completely immune due to their fundamentally different rendering architectures, as do all iOS browsers protected by Apple’s mandatory WebKit requirement.

The consequences extend far beyond simple user inconvenience. The attack consumes extreme computational resources, severely degrading overall system performance and potentially halting or slowing other running processes simultaneously.

Attackers can weaponize Brash using delayed or scheduled execution parameters, enabling code injection days beforehand with triggering at strategically precise moments during critical operational windows.

Organizations relying on web-based systems face genuine existential risks. Medical facilities using web-based surgical navigation systems could lose critical visualization during active operations.

Financial institutions could experience complete trading platform collapses during peak market hours. Enterprise infrastructure dependent on headless browser automation faces total service disruption, threatening business continuity.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today