Check Point Research (CPR) has identified three significant vulnerabilities within Microsoft’s Graphics Device Interface (GDI), a crucial component utilized by Windows for rendering images and text. These vulnerabilities, cataloged under CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984, were unveiled through a focused fuzzing campaign targeting the Enhanced Metafile Format Plus (EMF+) structure. This investigation exposed several unsafe memory handling routines within the GDI subsystem.
Microsoft responded to these findings by deploying patches during its Patch Tuesday updates in May, July, and August of 2025.
Memory Corruption in GDIPlus.dll
The first vulnerability, CVE-2025-30388, stems from inadequate validation of clipping rectangles in EMF+ files. Rated as important and categorized as “Exploitation More Likely,” this flaw is triggered when an EmfPlusSetTSClip record containing malformed RECT objects precedes operations such as EmfPlusDrawString or EmfPlusFillRects. Invalid coordinates can lead to heap corruption within GdiPlus.dll, particularly in the functions ScanOperation::AlphaMultiply_sRGB() and EpAntialiasedFiller::OutputSpan().
ScanOperation::AlphaMultiply_sRGB() function.CPR’s crash analysis revealed multiple access violations resulting from out-of-bounds writes in the heap block allocated for image color data. By manipulating the alpha value in the EmfPlusClear record, an attacker could potentially control written memory values, leading to remote code execution. Microsoft addressed this issue in version 10.0.26100.4061 of GdiPlus.dll (KB5058411, May 2025), introducing two new safeguard routines, ValidateAndSet() and IsRectValid(), to verify all RECT structures prior to rendering.
Remote Code Execution via Memory Handling Flaws
The second vulnerability, CVE-2025-53766, is classified as critical, allowing remote code execution without user interaction. Found in the same GdiPlus.dll module (version 10.0.26100.4202), this flaw resides within the ScanOperation::AlphaDivide_sRGB() function. Here, malformed EmfPlusDrawRects records containing irregular EmfPlusRect objects triggered writes to unallocated memory. The vulnerability originated from the EpScanBitmap::NextBuffer() function, which failed to verify whether the number of image scan-lines fit within the bitmap’s height.
During testing, a crafted EMF+ metafile pushed scan-lines beyond the allocated area, corrupting memory outside the bitmap boundary. This flaw is particularly exploitable in scenarios involving untrusted images processed over the network. Microsoft rectified the issue in version 10.0.26100.4946 (KB5063878, August 2025) by implementing a boundary check to trim requests that exceed the bitmap size, thereby enhancing the function’s handling of rasterization processes and preventing out-of-bounds memory access during thumbnail or image generation routines.
Incomplete Patch Triggers Information Disclosure
The third vulnerability, CVE-2025-47984, is a continuation of an earlier issue, CVE-2022-35837, which was only partially addressed. Detected in gdi32full.dll version 10.0.26100.3624, this vulnerability affects the handling of EMR_STARTDOC records. The StringLengthWorkerW() function incorrectly assumed that input strings were properly null-terminated. When malformed input was processed, the function read memory beyond the allocated buffer, resulting in information disclosure.
The underlying cause was faulty offset arithmetic in MRSTARTDOC::bPlay(), which neglected to revalidate string pointers after adjusting the record’s internal cursor. Microsoft corrected this logic in version 10.0.26100.4652 (KB5062553, July 2025) by recalculating offsets relative to the start of the record and enforcing consistent bounds checks.
These vulnerabilities underscore the ongoing memory safety risks present in Windows GDI components, highlighting the necessity for continuous fuzzing and verification within legacy codebases. CPR has emphasized that incomplete fixes can leave residual exposure for years, advocating for closer collaboration between researchers and software vendors to ensure robust mitigation against complex rendering exploits.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
