A vulnerability in Microsoft’s newly implemented Rust-based kernel component for the Graphics Device Interface (GDI) in Windows.
This flaw, which could trigger a system-wide crash via a Blue Screen of Death (BSOD), highlights the challenges of integrating memory-safe languages into critical OS components.
Although Microsoft classified it as moderate severity, the issue underscores potential risks in enterprise environments where attackers might weaponize it for widespread disruption.
The vulnerability emerged during a targeted fuzzing campaign by Check Point, aimed at probing Windows’ graphics subsystem for weaknesses. Fuzzing, a technique that bombards software with malformed inputs to expose bugs, proved instrumental here.
Using tools like WinAFL and WinAFL Pet on a controlled test setup, researchers focused on the Enhanced Metafile Format (EMF) and EMF+ files’ compact structures that instruct GDI on rendering 2D graphics.
These files, often embedded in documents or images, have long been a vector for exploits due to their complexity.
Starting with just 16 seed files, the fuzzers quickly unearthed crashes ranging from information leaks to code execution risks in user-space components.
But the real breakthrough came unexpectedly: repeated system restarts after BugChecks pointed to a kernel-level issue. Dubbed a “Denial of Fuzzing” condition, it halted testing and forced a pivot to kernel forensics.
Windows Rust-based Kernel GDI Vulnerability
To isolate the culprit, Check Point enhanced its setup with memory dump analysis using MemProcFS and Volatility, extracting mutated files from RAM disks.
They refined the corpus iteratively, shrinking reproduction time from days to 30 minutes across 836 samples.
A clever harness modification streamed mutations to a remote server via a custom C function and Python listener, capturing the precise 380,000th mutation that triggered the crash.
Deep analysis revealed the bug in win32kbase_rs.sys, Microsoft’s Rust-rewritten driver for GDI regions.
During path-to-region conversion in NtGdiSelectClipPath, an out-of-bounds array access in region_from_path_mut() invoked Rust’s panic_bounds_check(), causing a SYSTEM_SERVICE_EXCEPTION.
The trigger? A malformed EmfPlusDrawBeziers record with mismatched point counts (17 points declared as 4) and anomalous coordinates, combined with a wide-stroke pen from an EmfPlusObject.
This malformed geometry stressed edge block handling, bypassing bounds in the singly linked list representation.
A simple PowerShell proof-of-concept demonstrated the exploit’s accessibility: embedding the crafted metafile in a Graphics object via System.Drawing led to an instant BSOD, even from low-privilege sessions on x86/x64 Windows 11 24H2.
While not enabling remote code execution directly, it posed a potent denial-of-service threat imagine an insider scripting crashes across an enterprise on a Friday evening.
Microsoft patched the flaw in OS Build 26100.4202 via the KB5058499 preview on May 28, 2025, expanding the driver by 16KB with hardened logic.
Key changes included dual edge-handling routines add_edge_original() and a bounds-checked add_edge_new(), gated by a feature flag. Full rollout followed in June, though initial testing showed the flag disabled.
Check Point reported the issue promptly, but Microsoft’s MSRC deemed it a non-critical DoS, arguing Rust’s panic mechanism behaved as designed.
This marks one of the first public Rust kernel bugs post-integration, as touted at BlueHat IL 2023 for enhancing security. While Rust mitigates overflows, it doesn’t eliminate design flaws or incomplete testing.
As Windows leans into memory safety, such incidents remind developers: language alone isn’t a panacea. Thorough fuzzing and validation remain vital to prevent “alarm systems that blow up the house.”
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
