Microsoft has addressed a security vulnerability in the new Rust-based kernel component of the Windows Graphics Device Interface (GDI) identified by Check Point Research (CPR) in January 2025. The vulnerability, which affected the Win32kbase_rs.sys driver, was patched in OS Build 26100.4202 and fully released by June 2025.
Vulnerability Discovery
The flaw was uncovered during a metafile fuzzing campaign by CPR, targeting EMF/EMF+ files. CPR adapted a fuzzer for Windows binaries, eventually triggering a kernel-level BugCheck or system crash during testing. The Rust kernel code caught an out-of-bounds access, leading to a Blue Screen of Death (BSOD), which was deemed a moderate severity denial-of-service vulnerability.
- CPR identified the bug in January 2025 using fuzzing techniques.
- The vulnerability was categorized as a moderate-severity issue.
- Microsoft addressed this with a non-security update starting in May 2025.
Mitigation Measures
Microsoft implemented a fix involving significant method changes for the vulnerability in the region_from_path_mut() function. These changes were reflected in win32kbase_rs.sys (version 4202). The patch included splitting edge handling procedures and using a runtime feature flag for implementation selection. Initially disabled in testing, the feature was confirmed as part of the production update by the end of June 2025.
- The patch introduces hardened edge handling functions.
- Global rollout of the fix was completed by June 2025.
Implications and Future Outlook
While Rust provides strong memory safety, the discovery by CPR underscores that using such languages does not fully eliminate vulnerabilities. The bug reveals potential unsafe effects from failed security checks. This incident marks a significant event as it may be the first known security issue in a Rust-based Windows kernel component since Rust's kernel integration. Continuous security testing and design vigilance remain crucial as Microsoft continues integrating memory-safe languages into the kernel.
