metafile Archives

Winsage

November 3, 2025

Windows Graphics Vulnerabilities Allow Remote Attackers to Execute Arbitrary Code

Multiple vulnerabilities have been identified in Microsoft’s Graphics Device Interface (GDI), particularly related to Enhanced Metafile (EMF) formats, allowing potential remote code execution and information exfiltration. Key vulnerabilities include: - CVE-2025-30388: Rated Important with a CVSS score of 8.8, it involves out-of-bounds memory operations during processing of records, affecting Windows 10/11 and Office for Mac/Android. It allows attackers to read or write beyond allocated heap buffers. - CVE-2025-53766: Rated Critical with a CVSS score of 9.8, it permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function, affecting Windows 10/11 without requiring privileges. - CVE-2025-47984: Rated Important with a CVSS score of 7.5, it exploits a flaw in handling EMR_STARTDOC records, leading to information disclosure by exposing adjacent heap memory. Microsoft has released patches to address these vulnerabilities, and users are advised to apply them promptly. Recommendations include disabling EMF rendering in untrusted contexts and using sandboxed viewers for document access.

Winsage

November 3, 2025

New Windows Graphics Vulnerabilities Expose Systems to Remote Code Execution Risks

Check Point Research (CPR) identified three vulnerabilities in Microsoft’s Graphics Device Interface (GDI): 1. CVE-2025-30388: Inadequate validation of clipping rectangles in EMF+ files can lead to heap corruption in GdiPlus.dll, allowing potential remote code execution. Microsoft patched this in May 2025 with version 10.0.26100.4061. 2. CVE-2025-53766: A critical flaw in GdiPlus.dll allows remote code execution without user interaction due to unallocated memory writes triggered by malformed EmfPlusDrawRects records. Microsoft addressed this in August 2025 with version 10.0.26100.4946. 3. CVE-2025-47984: This vulnerability, related to an earlier issue, involves improper handling of EMR_STARTDOC records in gdi32full.dll, leading to information disclosure. Microsoft fixed this in July 2025 with version 10.0.26100.4652. Microsoft released patches for these vulnerabilities during its Patch Tuesday updates in May, July, and August of 2025.

Winsage

November 3, 2025

New GDI Flaws Could Enable Remote Code Execution in Windows

A series of vulnerabilities within the Windows Graphics Device Interface (GDI) has been discovered, potentially allowing for remote code execution and information disclosure. These vulnerabilities are linked to malformed enhanced metafile (EMF) and EMF+ records, leading to memory corruption during image rendering. Three specific vulnerabilities were analyzed and included in Microsoft's Patch Tuesday updates released in May, July, and August of 2025. They are cataloged as: - CVE-2025-30388: Rated important and more likely to be exploited. - CVE-2025-53766: Rated critical, enabling remote code execution. - CVE-2025-47984: Rated important, associated with information disclosure. All three involve out-of-bounds memory access triggered by crafted metafiles. Microsoft has released patches for GdiPlus.dll and gdi32full.dll to address these vulnerabilities, including validation checks and corrections in memory handling. These vulnerabilities also affect Microsoft Office for Mac and Android platforms.

Winsage

October 18, 2025

Windows Rust-based Kernel GDI Vulnerability Leads to Crash and Blue Screen of Death Error

A vulnerability has been identified in Microsoft’s Rust-based kernel component for the Graphics Device Interface (GDI) within Windows, which can cause a system-wide crash (BSOD). The issue was discovered during a fuzzing campaign by Check Point, which revealed crashes and potential code execution risks. The vulnerability is linked to an out-of-bounds array access in the win32kbasers.sys driver during the path-to-region conversion in NtGdiSelectClipPath, triggered by a malformed EmfPlusDrawBeziers record. A proof-of-concept demonstrated that embedding a crafted metafile could lead to a BSOD from low-privilege sessions on Windows 11. Microsoft addressed the flaw in OS Build 26100.4202 through an update released on May 28, 2025. Despite being classified as a non-critical denial-of-service issue, this incident highlights the challenges of integrating memory-safe programming languages into operating systems.

Winsage

October 18, 2025

New Windows GDI Rust Kernel Vulnerability Triggers Remote Code Execution

Security researchers identified a vulnerability in the Rust-based Windows kernel component, specifically within the Windows Graphics Device Interface (GDI), which can be triggered remotely and cause system-wide crashes. The flaw was linked to the win32kbase_rs.sys kernel driver, resulting from an out-of-bounds memory access while processing a malformed path in an EmfPlusDrawBeziers record. This vulnerability represents a denial-of-service risk, allowing a malicious actor to crash systems by embedding a harmful metafile in documents or webpages. It affects both x86 and x64 systems running Windows 11 version 24H2, with a single compromised low-privilege account capable of causing widespread crashes. Microsoft released a fix in the May 28, 2025, preview update (KB5058499), which included a new bounds-hardened routine, but initial testing showed that the feature flag for this fix was disabled, delaying full mitigation until July 2025 Patch Tuesday.

Winsage

October 17, 2025

Denial of Fuzzing: Rust in the Windows kernel

Check Point Research (CPR) identified a significant security vulnerability in the Rust-based kernel component of the Graphics Device Interface (GDI) in Windows, reported to Microsoft in January 2025. The issue was resolved in OS Build 26100.4202, part of the KB5058499 update released on May 28, 2025. The vulnerability was discovered during a fuzzing campaign targeting the Windows graphics component through metafiles, revealing multiple security issues including information disclosure and arbitrary code execution. The specific bug was linked to a crash occurring during the execution of a NtGdiSelectClipPath syscall in the win32kbasers.sys driver, triggered by an out-of-bounds memory access when processing malformed metafile records. Microsoft classified the vulnerability as moderate severity and addressed it in a non-security update, implementing substantial changes to the affected kernel module.