Full Report
Edge, Atlas, Brave among those affected Exclusive A critical, currently unpatched bug in Chromium's Blink rendering engine can be abused to crash many Chromium-based browsers within seconds, causing a denial-of-service condition – and, in some tests, freezing the host system.…
Analysis Summary
# Vulnerability: Critical Denial-of-Service via Unthrottled Blink Rendering Engine Updates
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text (Severity implied as Critical due to system freezing/crash).
- CWE: Likely related to Improper Resource Management or Uncontrolled Resource Consumption.
## Affected Systems
- Products: Chromium-based browsers including **Chrome**, **Microsoft Edge**, **Brave**, **Vivaldi**, **Arc**, **Dia**, **Opera**, and **OpenAI's ChatGPT Atlas**.
- Versions: Chromium versions **143.0.7483.0 and later**.
- Configurations: Any configuration running the affected Chromium versions using the Blink rendering engine. Not affected: Firefox (Gecko) and Safari (WebKit), including iOS browsers.
## Vulnerability Description
The vulnerability is an architectural flaw in Chromium's Blink rendering engine stemming from the **complete absence of rate limiting on `document.title` API updates**. An attacker can inject massive, rapid changes to the document title (millions of DOM mutations per second), which saturates the main thread, disrupts the event loop, and ultimately causes the browser interface to collapse or freeze the host system due to resource exhaustion (documented to consume 18 GB of RAM in one test case).
## Exploitation
- Status: **PoC available** (Demonstrated via the "Brash" exploit by Jose Pino). The full impact suggests mass exploitation potential.
- Complexity: The PoC execution appears straightforward, involving pre-loading unique strings and executing bursts of title updates (e.g., burst: 8000, interval: 1ms).
- Attack Vector: **Network** (via a malicious webpage containing the JavaScript code).
## Impact
- Confidentiality: No direct impact reported.
- Integrity: Potential for data loss due to forced termination and system unresponsiveness.
- Availability: **High**. Causes browser crash (Denial-of-Service) within 15-60 seconds, and in some cases, **freezing the host system**.
## Remediation
### Patches
- **Patches are not yet available** from the main Chromium project as of the article date. Individual vendors are expected to implement fixes independently based on the Chromium patch, or when a fix is provided by Chromium.
### Workarounds
- No explicit vendor workarounds were provided. Temporary user mitigation relies on avoiding potentially malicious web content, as any webpage could host the attack script.
## Detection
- Indicators of Compromise: Rapid and sustained increase in CPU usage, massive memory consumption associated with a single browser tab (e.g., 18GB RAM), browser freezing/unresponsiveness within 5-60 seconds of visiting a malicious page.
- Detection methods and tools: Standard web traffic monitoring might not immediately flag this traffic pattern unless specific resource saturation metrics are tracked for browser processes.
## References
- Researcher GitHub: hxxps://github.com/jofpin/brash
- Vendor Advisory Status: The issue was initially disclosed to the Chromium security team on August 28th but remained unpatched at the time of the article publication.