A recent discovery has unveiled a series of previously unrecognized vulnerabilities within the Windows Graphics Device Interface (GDI), which could potentially allow for remote code execution and information disclosure. This revelation follows Microsoft’s timely release of critical patches aimed at addressing these issues.
The vulnerabilities are linked to malformed enhanced metafile (EMF) and EMF+ records, which can lead to memory corruption during the rendering of images. This new understanding broadens the scope of potential attack vectors associated with Windows graphics processing.
In-depth analysis has been conducted on three specific vulnerabilities, which were included in Microsoft’s Patch Tuesday updates released in May, July, and August of 2025.
These weaknesses were identified in the way Windows manages GDI operations, particularly within the GdiPlus.dll and gdi32full.dll files, responsible for processing vector graphics, text, and print tasks. The discoveries were the result of a fuzzing campaign that specifically targeted EMF formats.
Three Flaws Uncovered
The identified vulnerabilities are cataloged as follows:
- CVE-2025-30388: Rated important and more likely to be exploited.
- CVE-2025-53766: Rated critical, enabling remote code execution.
- CVE-2025-47984: Rated important, associated with information disclosure.
All three vulnerabilities involve out-of-bounds memory access, which is triggered through meticulously crafted metafiles. One particular flaw revolves around invalid rectangle objects, which allow attackers to manipulate memory writes during text rendering. Another vulnerability bypasses scan-line bounds checks during the generation of thumbnails, while the third issue relates to string handling within print-job initialization, exposing heap data when null-termination assumptions are not met.
How Attacks Could Unfold
Crafted EMF+ files have the potential to manipulate color and alpha values, heap allocation behavior, and pointer calculations. Research conducted by Check Point Research (CPR) has demonstrated that attackers could exploit these vulnerabilities to write controlled values beyond buffer limits or read memory past intended boundaries. This could lead to unauthorized access to sensitive information or system compromise without user interaction in certain scenarios.
“Our purpose in publishing this blog after security fixes were implemented is to further raise awareness of these vulnerabilities and provide Windows users with defensive insights and mitigation recommendations,” stated the researchers.
Microsoft Patches Shipped
In response to these vulnerabilities, Microsoft has released patches for GdiPlus.dll versions 10.0.26100.3037 through 10.0.26100.4946 and gdi32full.dll version 10.0.26100.4652. The mitigations include new validation checks for rectangle data, scan-line boundary trimming, and corrected pointer arithmetic in print-handling routines. These fixes were delivered through KB5058411 in May, KB5062553 in July, and KB5063878 in August.
This situation highlights the ongoing risks associated with complex graphics pipelines that process untrusted content. Researchers emphasize the importance of proactive patching and maintaining defensive awareness, noting that these vulnerabilities also affect Microsoft Office for Mac and Android platforms.
