Since the dfinity/ic repo doesn’t allow reporting bugs I’ll do it here.
It seems that the Canister sandbox uses cbor_serde and CBOR for its transportation layer, and some of the messages (didn’t track down which ones actually) have a i128 or u128 type in in, which, if flowing over 64 bits, causes cbor_serde to panic (upstream bug). Not sure if that would stall a subnet.
I triggered this with Motoko and drun, but I assume it can at least be triggered in a dev instance of the replica. Triggering it in the wild may require amassing 2^64 cycles in one canister, which is a bit expensive to demonstrate a bug.