Overview
- Researcher Jose Pino published the Brash proof‑of‑concept after notifying the Chromium team in late August and later detailing the exploit on GitHub.
- Google said it is looking into the issue and Brave said it will adopt a Chromium fix when available, while most other vendors did not provide public responses.
- Independent tests on Windows, macOS, Linux, and Android collapsed Chromium‑based browsers in roughly 15–60 seconds, with some runs freezing the host and draining large amounts of RAM.
- The attack floods unthrottled document.title updates to generate millions of DOM mutations per second, which can be triggered by visiting a single crafted URL.
- Firefox and Safari, including all iOS browsers using WebKit, were immune in tests, and coverage differs on the exact affected Chromium versions as potential exposure spans billions of users.