A set of previously unknown flaws in Windows Graphics Device Interface (GDI) that could enable remote code execution and information disclosure has been revealed after Microsoft released fixes.
These issues involve malformed enhanced metafile (EMF) and EMF+ records that can cause memory corruption during image rendering. The findings expand understanding of attack surfaces tied to Windows graphics processing.
Three vulnerabilities have now been analyzed in depth, following their inclusion in Patch Tuesday updates across May, July and August 2025.
The weaknesses were uncovered in Windows’ handling of GDI operations, particularly within GdiPlus.dll and gdi32full.dll, which process vector graphics, text and print operations.
A fuzzing campaign targeting EMF formats led directly to the discoveries.
Three Flaws Uncovered
The bugs are tracked as:
-
CVE-2025-30388, rated important and more likely to be exploited
-
CVE-2025-53766, rated critical and enabling remote code execution
-
CVE-2025-47984, rated important and tied to information disclosure
All three involve out-of-bounds memory access triggered through carefully structured metafiles.
One flaw centered on invalid rectangle objects that allowed attackers to influence memory writes during text rendering.
Another bypassed scan-line bounds checks during thumbnail generation.
The third concerned string handling within print-job initialization, exposing heap data when null-termination assumptions failed.
How Attacks Could Unfold
Crafted EMF+ files could manipulate color and alpha values, heap allocation behavior and pointer calculations.
Check Point Research (CPR) demonstrated that attackers could write controlled values beyond buffer limits or read memory past intended boundaries, potentially accessing sensitive information or compromising systems without user interaction in certain scenarios.
“Our purpose in publishing this blog after security fixes were implemented is to further raise awareness of these vulnerabilities and provide Windows users with defensive insights and mitigation recommendations,” the researchers said.
Read more aboutWindows vulnerabilities: High Number of Windows 10 Users Remain as End-of-Life Looms
Microsoft Patches Shipped
Microsoft addressed the issues in GdiPlus.dll versions 10.0.26100.3037 through 10.0.26100.4946 and gdi32full.dll version 10.0.26100.4652.
Mitigations included new validation checks for rectangle data, scan-line boundary trimming and corrected pointer arithmetic in print-handling routines. Fixes arrived through KB5058411 in May, KB5062553 in July and KB5063878 in August.
The work underscores ongoing risks tied to complex graphics pipelines that accept untrusted content.
Researchers stressed proactive patching and defensive awareness, noting the bugs also impacted Microsoft Office for Mac and Android.
Image credit: JarTee / Shutterstock.com
