Chromium Browsers Hit by 'Brash' DoS Exploit; Chrome 142 Released

A critical new denial-of-service (DoS) vulnerability, dubbed the "Brash" exploit, has been discovered, capable of instantly crashing Chromium-based browsers across various platforms. The vulnerability affects over 3 billion users worldwide and remains currently unpatched, with Google only stating they are "looking into the issue" after the researcher reported it two months ago in August 2025. This comes as Google released Chrome 142 Stable on October 28, 2025, containing 20 crucial security updates. Concurrently, Microsoft is enhancing enterprise browser security with new Edge for Business connectors and has retired its popular Editor extensions, consolidating functionality within Microsoft 365. Security professionals and users are strongly advised to update their browsers without delay to mitigate potential risks and leverage new security features.

Chromium Browsers Susceptible to 'Brash' DoS Exploit

Vulnerability Overview

• Vulnerability Name: 'Brash' Exploit
• Severity: High (Denial of Service - DoS)
• Vulnerability Type: Browser crash via malicious URL
• Affected Component: Chromium Blink rendering engine
• Affected Versions: Chromium versions 143.0.7483.0 and earlier
• Platforms: Windows, macOS, Linux, Android
• Exploitation Status: Publicly disclosed with proof-of-concept available; reported to Chromium security team on August 28 and August 30, 2025 with no response
• Patch Status: Currently unpatched; Google stated they are "looking into the issue"

Technical Details

Security researcher Jose Pino discovered the "Brash" exploit, a severe vulnerability in Chromium's Blink rendering engine that can crash Chromium-based browsers within 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed. The exploit stems from the complete absence of rate limiting on document.title API updates, allowing attackers to bombard the browser with millions of DOM mutations per second, overwhelming the browser's main thread and causing system performance degradation due to excessive CPU resource consumption.

The Brash attack operates in three phases: first, the attacker preloads 100 unique 512-character hexadecimal strings into memory to avoid CPU pauses and maximize update throughput; second, a burst injector issues rapid triple-updates achieving approximately 24 million title writes per second; third, continuous injections saturate the UI/main thread, causing CPU to soar, tabs to freeze, pages to become unresponsive, and the browser to collapse or require forced termination.

Between 5-10 seconds into the attack, browser tabs will freeze; between 10-15 seconds, the browser will collapse or show a "page unresponsive" dialog box; and between 15-60 seconds, Chromium-based browsers will require forced termination. When The Register tested the exploit on Microsoft Edge, the browser crashed and the Windows machine locked up after about 30 seconds while consuming 18GB of RAM in one tab.

A critical feature that amplifies Brash's danger is its ability to be programmed to execute at specific moments, transforming it from a disruption tool into a temporal precision weapon where the attacker controls not only the 'what' and 'where,' but also the 'when' with millisecond accuracy, acting like a logic bomb configured to detonate at a specific time while evading initial detection.

Affected Browsers

The vulnerability works on Google Chrome and all web browsers that run on Chromium, including Microsoft Edge, Brave, Opera, Vivaldi, Arc Browser, Dia Browser, OpenAI ChatGPT Atlas, and Perplexity Comet. Mozilla Firefox and Apple Safari are immune to the attack due to their different rendering engines (Gecko and WebKit respectively), as are all third-party browsers on iOS, which are all based on WebKit.

Testing across 11 major browsers confirmed that Chromium versions up to 143.0.7483.0 remain vulnerable, including Chrome, Edge, Opera, Brave, and Vivaldi on desktop, Android, and embedded devices. Chrome crashes in approximately 15-30 seconds, Microsoft Edge demonstrates similar vulnerability with crashes occurring in 15-25 seconds, while Opera exhibits slower degradation at approximately 60 seconds.

Mitigation

• Action: Users of Chromium-based browsers (Chrome, Edge, Brave, Opera) should update to the latest stable version immediately, although no specific Brash patch is currently available.
• Prevention: Exercise extreme caution when clicking on unfamiliar or suspicious links.
• Alternative: Consider using Firefox or Safari browsers, which are immune to this exploit.
• Vendor Response: Google stated they are looking into the issue; Brave confirmed they will implement the fix when provided by Chromium; seven other affected browser vendors did not respond to inquiries.

Google Chrome 142 Stable Channel Release

Overview

Google released Chrome version 142 to the stable channel on October 28, 2025, addressing 20 security vulnerabilities that could allow attackers to execute malicious code on affected systems. The update is now rolling out to Windows, Mac, and Linux users, with Chrome 142.0.7444.59 for Linux, version 142.0.7444.60 for Windows, and version 142.0.7444.60 for Mac being automatically deployed over the coming days and weeks.

Security Fixes

The Chrome 142 release tackles seven high-severity vulnerabilities, with several affecting the V8 JavaScript engine that powers Chrome's web rendering capabilities. Two of the most critical flaws, CVE-2025-12428 and CVE-2025-12429, earned researchers $50,000 bounties each for discovering type confusion and inappropriate implementation issues in V8 that could potentially enable attackers to execute arbitrary code by exploiting how Chrome processes JavaScript. Man Yue Mo from GitHub Security Lab identified the type confusion vulnerability in V8, while researcher Aorui Zhang uncovered the inappropriate implementation issue.

Beyond the critical flaws, Chrome 142 resolves eight medium-severity vulnerabilities affecting various browser components, including use-after-free vulnerabilities in PageInfo and Ozone, race conditions in Storage, and out-of-bounds read issues in V8 and WebXR. Security researchers also identified policy bypass weaknesses in Extensions and incorrect security UI implementations in Omnibox that could mislead users about website authenticity. The update also patches five low-severity vulnerabilities related to incorrect security UI displays and policy bypass issues in Extensions.

Google awarded security bounties totaling over $140,000 to external researchers who responsibly disclosed these vulnerabilities, reinforcing the company's commitment to its vulnerability rewards program.

Patch Information

• Fixed Version: Chrome 142.0.7444.59/.60
• Release Date: October 28, 2025
• Update Method: Automatic update for most users; manual check via Chrome settings (Settings > About Chrome or navigate to chrome://settings/help)

Microsoft Edge for Business Enhances Security with New Connectors

Overview

Microsoft is continually investing in enterprise-grade security for its Edge browser. Recent updates announced on October 30, 2025, include the introduction of new Edge for Business connectors. These connectors are designed to help organizations secure their browser environments more effectively, offering enhanced management capabilities and integration with existing security infrastructures. This initiative reflects Microsoft's commitment to providing robust security tools for business users, enabling IT administrators to implement granular security policies and better protect corporate data accessed through the browser.

Key Features

• Improved integration with security solutions including Symantec DLP, RSA ID Plus, Omnissa Access Device Trust, KnowBe4 SecurityCoach, and Trellix DLP
• Enhanced control over browser security settings with device trust and conditional access capabilities
• Streamlined management for IT administrators through Microsoft 365 admin center
• Zero additional cost for Edge for Business users

Microsoft Retires Editor Extensions on Edge and Chrome

Overview

Microsoft has announced the retirement of its popular Editor extensions for both Edge and Chrome browsers, effective October 31, 2025. As reported by CyberPress, this change aims to consolidate and integrate the functionality of these extensions directly into Microsoft Edge's native proofing engine and Microsoft 365, providing a more seamless and consistent experience for users. While this is not a vulnerability, it represents a significant policy shift that impacts how users interact with browser-based productivity tools and could influence overall browser and productivity suite security postures.

Impact

• For Edge Users: Automatic transition to built-in proofing features with no action required
• For Chrome Users: Extension will cease functioning after October 31, 2025; no direct Microsoft replacement available
• Enhanced Capabilities: AI-powered suggestions with support for 85+ languages and improved performance in Edge

Browser Compatibility Updates Highlight Importance of Current Versions

Implications for Security

Regular updates to browser compatibility requirements, such as those for the CAASPP and ELPAC assessments, underscore the critical need for users and organizations to maintain up-to-date browser versions. These requirements often mandate specific browser versions (e.g., Chrome, Firefox, Edge, Safari) to ensure functionality and security. Staying current not only ensures access to necessary services but also provides protection against known vulnerabilities and leverages the latest security features from browser vendors.

References

1. New "Brash" Exploit Crashes Chromium Browsers Instantly with a Single Malicious URL - The Hacker News
2. Critical Blink Vulnerability Lets Attackers Crash Chromium Browsers in Seconds - GBHackers
3. Security hole slams Chromium browsers - no fix yet - The Register
4. Brush exploit can cause any Chromium browser to collapse in 15-60 seconds - Security Affairs
5. Chrome 142 Update Patches 20 Security Flaws Enabling Code Execution - GBHackers
6. Google Releases Chrome 142 with Patches for 20 High-Severity Vulnerabilities - CyberPress
7. Secure the browser your way with new Edge for Business connectors - Microsoft Edge Dev Blog
8. Microsoft to Retire Popular Editor Extensions on Edge and Chrome - CyberPress
9. Updates to Supported Operating Systems and Secure Browsers for 2025–26 - CAASPP ELPAC