T# The "Safe" Crash: Analyzing the Chromium Rust PNG Decoder Vulnerability
In late 2025, the Chromium project (Chrome, Edge, Brave) reached a major milestone by enabling the Rust-based PNG decoder (SkPngRustCodec) by default in version 141.x. The goal was simple: eliminate the decades-old memory corruption bugs that plagued the C++ libpng implementation.
However, as the file 25-11-25-chromium-crash.txt reveals, "safe" code doesn't mean "bug-free" code. It just changes the nature of the failure.
1. The Vulnerability: When Safety Becomes a DoS
The report describes a scenario where a specially crafted PNG file causes a Renderer Process Crash. In browser terms, this means the specific tab you are viewing goes "Aw, Snap!" and stops working.
The Technical "Smoking Gun"
The log file points to a very specific crash signature on Windows systems:
Exception Code:
0xC000001D(Illegal Instruction) Faulting Symbol:SkPngRustCodec::onGetPixelsDisassembly Snippet:nasm 00007ff8b3414b86 4883c428 add rsp, 28h 00007ff8b3414b8a c3 ret 00007ff8b3414b8b 0f0b ud2 <-- CRASH POINT
Why ud2?
In x86 assembly, ud2 is an Undefined Instruction. It is intentionally used by the Rust compiler (rustc) when it encounters a Panic.
In Rust, a "Panic" occurs when the program hits an unrecoverable error that violates safety but isn't a memory corruption—most commonly an Out-of-Bounds (OOB) check. Instead of allowing the program to read or write to a memory address it doesn't own (which could lead to a Remote Code Execution/RCE), Rust says: "I'd rather die than be exploited." It executes ud2, the CPU throws an "Illegal Instruction" error, and the process terminates instantly.
2. RCE vs. DoS: The Security Trade-off
This crash is a perfect example of a Security Success disguised as a Failure.
| Feature | Old C++ Decoder (libpng) |
New Rust Decoder (SkPngRustCodec) |
|---|---|---|
| Error Type | Buffer Overflow / Use-After-Free | Logic Error / Bounds Check Failure |
| Result | RCE (Remote Code Execution) | DoS (Denial of Service) |
| Severity | Critical (10.0) | Medium/High (6.5) |
| Outcome | Attacker steals your cookies/data. | Your tab crashes and you refresh. |
By forcing a crash via ud2, Rust prevented what likely would have been a heap overflow in C++. While a crashing tab is annoying (DoS), it is infinitely better than a silent exploit that takes over your computer (RCE).
3. Root Cause: The Logic Flaw
The report suggests the crash happens during the onGetPixels call. Research into Chromium's 2025-2026 bug tracker reveals that the flaw likely resided in the interop layer between C++ (Skia) and Rust (the png crate).
When the C++ side passed a buffer size that didn't perfectly align with the dimensions claimed in the PNG header, the Rust code attempted to access an index outside the array's length. Rust’s runtime checked this, realized it was dangerous, and triggered the panic!, leading to the ud2 instruction we see in your log.
4. Remediation and Lessons Learned
As noted in your file, the fix was rolled out in Chromium v142.x. The developers didn't just "fix the crash"; they improved the validation logic at the boundary where C++ talks to Rust.
How to Protect Yourself (2026 Context):
- Keep Browsers Updated: If you see
SkPngRustCodecin your crash logs, ensure you are on version 142 or higher. - Monitor
chrome://crashes: If you are a developer, look for the0x0f0b(ud2) opcode. It's a hallmark that Rust is doing its job and saving you from a much worse security fate. - Fuzzing is Key: This vulnerability was eventually caught by OSS-Fuzz, Google's automated testing infrastructure. For developers, this proves that even memory-safe languages need rigorous fuzzing to find logic-based DoS triggers.
Summary: This crash log isn't just a record of a bug; it's a "Certificate of Memory Safety." It proves that the move to Rust is working—turning catastrophic exploits into simple, recoverable crashes.