Multiple vulnerabilities in Microsoft’s Graphics Device Interface (GDI), a core component of the Windows operating system responsible for rendering graphics.
These flaws, discovered by Check Point through an intensive fuzzing campaign targeting Enhanced Metafile (EMF) formats, could enable remote attackers to execute arbitrary code or steal sensitive data.
The issues were responsibly disclosed to Microsoft and patched across multiple Patch Tuesday updates in 2025, but they underscore ongoing risks in legacy graphics processing.
The vulnerabilities stem from improper handling of EMF+ records, which are used in documents and images processed by applications like Microsoft Office and web browsers.
Attackers could exploit them by tricking users into opening malicious files, such as rigged Word documents or image thumbnails, potentially leading to full system compromise without user interaction.
Check Point’s analysis, detailed in a recent blog post, emphasizes how these bugs arose from invalid rectangle objects, buffer overflows, and incomplete prior fixes, highlighting the challenges of securing deeply embedded system libraries.
Windows Graphics Vulnerabilities
CVE-2025-30388, rated Important with a CVSS score of 8.8, involves out-of-bounds memory operations during the processing of records like EmfPlusDrawString and EmfPlusFillRects.
Triggered by malformed EmfPlusSetTSClip records, it allows attackers to read or write beyond allocated heap buffers, potentially leaking data or enabling code execution.
This flaw affects Windows 10 and 11, as well as Office for Mac and Android, and Microsoft deems it “Exploitation More Likely” due to its accessibility via common file formats.
The most severe, CVE-2025-53766 (Critical, CVSS 9.8), permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function.
By crafting EmfPlusDrawRects records with oversized rectangles, attackers can overflow scan-line buffers in bitmap rendering, bypassing boundaries in thumbnail generation. No privileges are required, making it ideal for network-based attacks on services parsing EMF files.
CVE-2025-47984 (Important, CVSS 7.5), an information disclosure bug, exploits a lingering flaw in EMR_STARTDOC record handling, tied to an incomplete fix for CVE-2022-35837.
It causes over-reads in string length calculations, exposing adjacent heap memory. Classified as a protection mechanism failure (CWE-693), this could aid further attacks by revealing system secrets.
| CVE ID | Severity | CVSS v3.1 Score | Affected Products | Impact | Patch KB |
|---|---|---|---|---|---|
| CVE-2025-30388 | Important | 8.8 | Windows 10/11, Office (Mac/Android) | RCE, Info Disclosure | KB5058411 (May) |
| CVE-2025-53766 | Critical | 9.8 | Windows 10/11 | Remote Code Execution | KB5063878 (Aug) |
| CVE-2025-47984 | Important | 7.5 | Windows 10/11 | Information Disclosure | KB5062553 (Jul) |
Mitigations
Microsoft addressed these in GdiPlus.dll and gdi32full.dll updates, adding validations for rectangles, scan-lines, and offsets to prevent overflows. Users should apply patches immediately and enable automatic updates.
Check Point recommends disabling EMF rendering in untrusted contexts, using sandboxed viewers for documents, and monitoring for anomalous graphics processing.
These discoveries, part of a fuzzing effort on Windows kernel graphics, reveal how subtle errors in file parsing can evade detection for years. As remote work and cloud services proliferate, such vulnerabilities pose escalating threats to enterprises.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
