Multiple vulnerabilities have been identified within Microsoft’s Graphics Device Interface (GDI), a fundamental element of the Windows operating system that plays a crucial role in rendering graphics. These vulnerabilities were uncovered by Check Point through an extensive fuzzing campaign aimed at Enhanced Metafile (EMF) formats, revealing potential avenues for remote attackers to execute arbitrary code or exfiltrate sensitive information.
The issues were responsibly disclosed to Microsoft and subsequently addressed in a series of Patch Tuesday updates throughout 2025. However, they highlight the persistent risks associated with legacy graphics processing systems.
The vulnerabilities arise from improper handling of EMF+ records, which are integral to documents and images processed by applications such as Microsoft Office and various web browsers. Attackers could potentially exploit these flaws by deceiving users into opening malicious files, including manipulated Word documents or image thumbnails, which could lead to full system compromise without requiring user interaction.
Check Point’s analysis, shared in a recent blog post, sheds light on how these vulnerabilities emerged from invalid rectangle objects, buffer overflows, and incomplete prior fixes. This underscores the complexities involved in securing deeply embedded system libraries.
Windows Graphics Vulnerabilities
Among the vulnerabilities, CVE-2025-30388 has been rated as Important, with a CVSS score of 8.8. This flaw involves out-of-bounds memory operations during the processing of records such as EmfPlusDrawString and EmfPlusFillRects. Triggered by malformed EmfPlusSetTSClip records, it allows attackers to read or write beyond allocated heap buffers, which could lead to data leakage or code execution.
This particular flaw affects Windows 10 and 11, as well as Office for Mac and Android. Microsoft has classified it as “Exploitation More Likely” due to its accessibility through common file formats.
The most critical vulnerability, CVE-2025-53766, carries a CVSS score of 9.8 and permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function. By crafting EmfPlusDrawRects records with oversized rectangles, attackers can overflow scan-line buffers during bitmap rendering, circumventing boundaries in thumbnail generation. Notably, this vulnerability does not require any privileges, making it particularly appealing for network-based attacks targeting services that parse EMF files.
Another significant issue, CVE-2025-47984, rated Important with a CVSS score of 7.5, exploits a lingering flaw in the handling of EMR_STARTDOC records, which is tied to an incomplete fix for CVE-2022-35837. This vulnerability leads to over-reads in string length calculations, exposing adjacent heap memory. Classified as a protection mechanism failure (CWE-693), it could facilitate further attacks by revealing sensitive system information.
| CVE ID | Severity | CVSS v3.1 Score | Affected Products | Impact | Patch KB |
|---|---|---|---|---|---|
| CVE-2025-30388 | Important | 8.8 | Windows 10/11, Office (Mac/Android) | RCE, Info Disclosure | KB5058411 (May) |
| CVE-2025-53766 | Critical | 9.8 | Windows 10/11 | Remote Code Execution | KB5063878 (Aug) |
| CVE-2025-47984 | Important | 7.5 | Windows 10/11 | Information Disclosure | KB5062553 (Jul) |
Mitigations
Microsoft has addressed these vulnerabilities through updates to GdiPlus.dll and gdi32full.dll, incorporating validations for rectangles, scan-lines, and offsets to prevent overflows. Users are strongly advised to apply these patches promptly and enable automatic updates to ensure ongoing protection.
Check Point recommends disabling EMF rendering in untrusted contexts, utilizing sandboxed viewers for document access, and actively monitoring for any anomalous graphics processing activities. These findings, part of a broader fuzzing initiative focused on Windows kernel graphics, reveal how subtle errors in file parsing can remain undetected for extended periods. As remote work and cloud services continue to expand, such vulnerabilities present increasing threats to enterprises.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
