Chromium Blink document.title crash security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Brash is a Chromium Blink vulnerability that can crash Google Chrome and other Chromium-based browsers in 15-60 seconds by abusing unthrottled `document.title` updates. The flaw floods the DOM with mutations, which can saturate the browser's main thread and degrade system performance. It affects Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet.
Related Happenings
FROST browser SSD timing side channel via OPFS
Technical Analysis
H score16
First: 09.06.2026 12:50
Last: 09.06.2026 12:50
Sources 1
About this happening:
**FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
FROST browser SSD timing side channel via OPFS
Technical AnalysisAbout this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
Vulnerability
H score45
First: 09.06.2026 09:56
Last: 09.06.2026 09:56
Sources 1
About this happening:
**Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
VulnerabilityAbout this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Browser-layer visibility guidance for browser-native threats
Defensive Guidance
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Browser-layer visibility guidance for browser-native threats
Defensive GuidanceAbout this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Chromium JavaScript background RCE flaw
Vulnerability
H score16
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
H score1
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
VulnerabilityAbout this happening: **Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Timeline
-
30.10.2025 16:45 2 articles · 8mo ago
Brash vulnerability crashes Chromium-based browsers in 15-60 seconds
Initial DisclosureJose Pino disclosed Brash, a vulnerability in Chromium's Blink rendering engine that can crash Google Chrome and other Chromium-based browsers in 15-60 seconds by abusing unthrottled document.title updates, flooding millions of DOM mutations per second and saturating the browser's main thread; Mozilla Firefox and Apple Safari are not affected.
Show sources
- New "Brash" Exploit Crashes Chromium Browsers Instantly with a Single Malicious URL — thehackernews.com — 30.10.2025 16:45
- New "Brash" Exploit Crashes Chromium Browsers Instantly with a Single Malicious URL — thehackernews.com — 30.10.2025 16:45