A newly discovered flaw in Microsoft’s Rust-based Graphics Device Interface (GDI) kernel component allows unprivileged attackers to crash or take control of Windows systems.
Check Point Research (CPR) uncovered the issue in January 2025 and reported it to Microsoft. The company addressed the bug in the May 28, 2025 KB5058499 preview update (OS Build 26100.4202), with full rollout by late June.
CPR’s investigation began with a fuzzing campaign focused on Windows metafiles. Fuzzing injects random or malformed data into software to discover weaknesses.
The team used WinAFL Pet to manage mid-scale fuzzing jobs and BugId to analyze crashes. They targeted Enhanced Metafile Format (EMF) and its EMF+ variant, which embed drawing instructions for GDI functions.
Initial tests produced user-space crashes and memory leaks, but after a week, the test machines unexpectedly rebooted due to a kernel BugCheck.
Investigators then shifted to capturing memory dumps and extracting mutated seed files from RAM disks using MemProcFS.
By replaying these samples in a single-instance fuzz setup, they could reproduce the crash consistently in under 30 minutes, after about 380,000 mutations of 836 seed files.
The crash occurred in the new Rust-based win32kbase_rs.sys driver during a NtGdiSelectClipPath syscall.
A bounds check in the region_from_path_mut() function failed when malformed path data led to out-of-bounds array access.
The faulty logic arose when EMF+ Bezier curve records declared four points but supplied seventeen, causing edge block lists to overflow. A panic_bounds_check() call triggered a Blue Screen of Death (BSOD).
CPR developed a proof-of-concept PowerShell script that loads a specially crafted metafile via Graphics::FromImage() and DrawImage(), functions intended for innocuous drawing tasks.
From a low-integrity account, an attacker could repeatedly crash desktops or servers across an enterprise, potentially causing data loss and operational downtime.
Microsoft’s Fix and Security Assessment
Microsoft classified the flaw as moderate severity “denial of service” and fixed it via non-security updates in June 2025.
Analysis of win32kbase_rs.sys file sizes showed an increase from 148 KB to 164 KB, indicating hardened bounds checks.
The update introduced dual edge-handling routines add_edge_original() and add_edge_new() with runtime feature flags to select the safe path. Although the patch existed in preview, the flag remained disabled until production.
Security researchers argue that any user-controlled input leading to a BSOD should be treated as a vulnerability.
In this case, Rust’s memory safety prevented silent data corruption but defaulted to a crash. A more robust design would handle the out-of-bounds condition gracefully without halting the entire system.
This incident is likely the first public security flaw in Windows’ Rust kernel modules. It highlights that while Rust provides strong safety guarantees, language choice alone cannot replace rigorous testing and design principles.
The metaphor of a home alarm that demolishes the house to stop an intruder underscores the need for security measures that contain threats without destructive side effects.
As more Rust code integrates into critical systems, developers must maintain exceptionally high engineering standards and anticipate subtle edge cases to prevent disruptions at scale.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
