Overview
- Researcher Jose Pino disclosed the Brash exploit, which he says can collapse Chrome, Edge, Brave, Opera, Vivaldi, Arc and other Chromium-based browsers on Windows, macOS, Linux and Android, while Firefox, Safari and all iOS browsers are unaffected.
- There is no public fix yet; Google says it is investigating, Brave says it will adopt a Chromium-provided remedy, and several other vendors did not respond to inquiries.
- Tests by outlets reproduced the crash, with The Register reporting a Windows machine lockup and a single tab consuming about 18 GB of RAM before the browser had to be force-quit.
- The attack can be triggered by a single crafted URL and can be time‑programmed to detonate later, raising risks for headless Chromium instances used by crawlers and automated services.
- Pino says he reported the issue to the Chromium security team in late August and published the proof‑of‑concept after not receiving a response, highlighting an architectural lack of rate limiting on document.title updates.