A newly discovered and severe security flaw can be used to freeze and crash most of the world’s top web browsers. A security researcher, Jose Pino, detailed the major bug, which he has named Brash.

This flaw allows a malicious website to completely lock up a browser, forcing the user to manually shut it down. The attack is effective and fast, causing a browser to become totally unresponsive in as little as 15 seconds, and sometimes up to a minute.

Pino explained in his technical report that the bug takes advantage of a basic flaw in the architecture of Chromium, the software engine that powers Google Chrome and many other browsers. The problem lies in how the software handles certain basic operations, allowing an attacker to exploit a missing “speed limit.”

How the Attack Freezes Your Browser

At its heart, the attack is surprisingly simple but incredibly effective. It targets the tiny piece of text that appears in your browser tab—the page’s title.

The vulnerability exists because the Chromium engine does not have a safety check to limit how often a webpage can request to change its own title. The Brash attack works by “flooding” the browser with a ridiculous number of these change requests, millions of them every single second.

The attack unfolds in three distinct stages:

First is the preparation stage. The malicious website gets its “ammunition” ready. It loads about 100 very long, unique strings of text (specifically, 512-character hexadecimal strings) into the computer’s memory. These will be used as the new titles.

Second is the injection stage. The attack begins its rapid-fire assault. It sends tiny bursts of title-change requests—three at a time—at an incredible speed. With its default settings, this method can slam the browser with approximately 24 million title updates every second.

The final stage is saturation. The browser simply cannot keep up. The main part of the browser’s brain, the thread that handles all user interactions like clicking, scrolling, and drawing the screen, gets completely choked by this continuous stream of commands. It becomes so busy trying to process the millions of title changes that it has no time left to do anything else.

The result is a total freeze. The browser window becomes unresponsive, and because the attack is hogging the computer’s main processor (CPU), it can even slow down the entire system. The user has no choice but to force-quit the application.

A Ticking Time Bomb

What makes the Brash flaw especially dangerous is its ability to be scheduled. Pino warned that this isn’t just a simple disruption tool; it can be programmed to act like a ticking time bomb.

An attacker can inject the malicious code into a webpage with a “temporal trigger.” This means the code can sit silently, remaining dormant and hidden from any initial inspection. It can be programmed to “detonate” at a precise, predetermined moment.

This capability for exact timing transforms the bug from a simple annoyance into a weapon of precision. The attacker has full control over not only what the attack is (a browser crash) and where it happens (on a victim’s computer), but also exactly when it happens, with millisecond accuracy.

This means the attack can be used as a “logic bomb,” configured to go off at a specific time or after a certain amount of time has passed since the user visited the page. In a real-world scenario, all an attacker would need to do is trick a victim into clicking a single booby-trapped link. The victim might browse the page for minutes without any issue, only for the attack to launch at a coordinated time.

Who Is at Risk?

This vulnerability is not in a single browser but in the Chromium engine itself. Because countless companies use Chromium as the base for their own browsers, the list of affected software is massive.

Affected browsers include:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi

The list doesn’t stop there. Newer browsers like Arc Browser and even the desktop browsers built into AI tools like the OpenAI ChatGPT app and Perplexity Comet are also vulnerable because they are built on the same core.

The only major browsers that are immune to this attack are Mozilla Firefox and Apple Safari. These two browsers use their own, completely separate rendering engines (Gecko and WebKit, respectively) and are not affected by this flaw.

Interestingly, this also means that all third-party browsers on iOS (iPhones and iPads) are safe. Apple’s security policies force all browser apps on its platform, including Chrome and Edge, to use its own WebKit engine underneath, which is not vulnerable.

The Hacker News, which originally reported on the text, has contacted Google for a statement about its plans for a fix. As of now, users are waiting to hear when a patch will be released to secure the billions of browsers at risk.