Check Point Research (CPR) has uncovered three critical vulnerabilities in Microsoft’s Graphics Device Interface (GDI) used by Windows for rendering images and text.
These flaws reported under CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984 were discovered through a targeted fuzzing campaign against the EMF+ (Enhanced Metafile Format Plus) structure, which revealed multiple unsafe memory handling routines in the GDI subsystem.
Microsoft patched the bugs during its May, July, and August 2025 Patch Tuesday updates.
Memory Corruption in GDIPlus.dll
The first vulnerability, CVE-2025-30388, arises from improper validation of clipping rectangles in EMF+ files.
The flaw, rated important and assessed as “Exploitation More Likely,” is triggered when an EmfPlusSetTSClip record containing malformed RECT objects precedes operations like EmfPlusDrawString or EmfPlusFillRects.
Invalid coordinates lead to heap corruption in GdiPlus.dll, specifically inside the functions ScanOperation::AlphaMultiply_sRGB() and EpAntialiasedFiller::OutputSpan().
ScanOperation::AlphaMultiply_sRGB() function.CPR’s crash analysis showed multiple access violations caused by out-of-bounds writes in the heap block allocated to store image color data.
By manipulating the alpha value in the EmfPlusClear record, an attacker could control written memory values, potentially leading to remote code execution.
Microsoft addressed the issue in version 10.0.26100.4061 of GdiPlus.dll (KB5058411, May 2025). The patch introduced two new safeguard routines, ValidateAndSet() and IsRectValid(), which verify all RECT structures before rendering.
Remote Code Execution via Memory Handling Flaws
The second vulnerability, CVE-2025-53766, is classified as critical and enables remote code execution without user interaction. It was found in the same module, GdiPlus.dll version 10.0.26100.4202, within the ScanOperation::AlphaDivide_sRGB() function.
Here, malformed EmfPlusDrawRects records containing irregular EmfPlusRect objects triggered writes to unallocated memory. The vulnerability stemmed from the EpScanBitmap::NextBuffer() function, which failed to verify whether the number of image scan-lines fitted within the bitmap’s height.
During testing, a crafted EMF+ metafile pushed scan-lines beyond the allocated area, corrupting memory beyond the bitmap boundary. This made the flaw particularly exploitable in scenarios where untrusted images are processed over the network.
Microsoft fixed the issue in version 10.0.26100.4946 (KB5063878, August 2025) by adding a boundary check to trim requests exceeding the bitmap size.
This strengthened the function’s handling of rasterization processes and prevented out-of-bounds memory access during thumbnail or image generation routines.
Incomplete Patch Triggers Information Disclosure
The third flaw, CVE-2025-47984, is a sequel to an older issue, CVE-2022-35837, which was only partially patched. Detected in gdi32full.dll version 10.0.26100.3624, the vulnerability impacts the handling of EMR_STARTDOC records.
The StringLengthWorkerW() function assumed input strings were properly null-terminated. When malformed input was processed, the function read memory past the allocated buffer, leading to information disclosure.
The root cause was faulty offset arithmetic in MRSTARTDOC::bPlay(), which failed to revalidate string pointers after adjusting the record’s internal cursor.
Microsoft corrected the logic in version 10.0.26100.4652 (KB5062553, July 2025) by recalculating offsets relative to the start of the record and enforcing consistent bounds checks.
These vulnerabilities highlight persistent memory safety risks in Windows GDI components, underscoring the importance of continuous fuzzing and verification in legacy codebases.
CPR emphasized that incomplete fixes can leave residual exposure for years and urged closer collaboration between researchers and software vendors to ensure robust mitigation against complex rendering exploits.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 has uncovered three critical vulnerabilities in Microsoft’s Graphics Device.){kind=link}