Beware unfixed ‘Brash’ Chrome vulnerability that crashes your browser.
Photothek via Getty Images
It was the best of times, it was the worst of times. Dickens could easily have been writing about Google Chrome users given the last few days. Two emergency updates followed by news of 20 security vulnerabilities with another patch. The best of times? Well, Chrome has said it is making the browser more secure, but not until 2026, which kind of counts, as do those security fixes if you ask me. What falls firmly into the worst category, however, is news of a new vulnerability called Brash that can crash your Chrome browser and impacts 3 billion users. Oh, and there’s no fix right now. Here’s what you need to know.
ForbesNew Research Claims iPhone Less Safe Than Google Android PhonesBy Davey WinderWhat Is The Google Chrome Crashing Brash Vulnerability?
Security researcher Jose Pino contacted Forbes to reveal that he had found a critical vulnerability in the Blink rendering engine used in Chrome, and other web browsers that are built around the Chromium model, and demonstrated a proof-of-concept exploit to me that did, indeed, cause my Chrome browser to freeze and require restarting.
Pino calls this exploit Brash, based upon a vulnerability that causes “any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed.” The document object model, simply put, connects web pages to programming languages or scripts.
Pino was able to show that there is no rate limiting on document.title application programming interface updates, and that, dear reader, means that millions of ‘DOM mutations’ per second can be injected in order to cause the interface to collapse and the browser to freeze. “The impact is significant,” Pino warned, “it consumes high CPU resources, degrades overall system performance, and can halt or slow down other processes running simultaneously.” What’s more, it affects desktop and Android browsers.
ForbesGoogle Security Gets Game As Inoculation Theory Put To The TestBy Davey Winder
You can try this, entirely at your own risk, by using the demo page that Pino has set up here.
Pino documented the time it took to crash nine Chromium-based browsers using Brash:
Google Chrome 15-30 secondsArc Browser 15-30 secondsBrave 30-125 secondsChatGPT Atlas 15-60 secondsDia Browser 5-30 secondsEdge 15-25 secondsOpera 60 secondsPerplexity Comet 15-35 secondsVivaldi 15-30 seconds
I have reached out to Google for a statement and will update this article as soon as I can.