Sketchy Graphics: Windows GDI Flaws Open RCE and Data Loss

Windows users received a trio of important graphics fixes this year after Check Point researchers uncovered vulnerabilities in the Graphics Device Interface (GDI) that could enable remote code execution (RCE) and information disclosure. 

GDI is widely used by Windows and third-party applications to render graphics, thumbnails, and print jobs. 

Because many systems automatically preview or render images, GDI flaws can be exploited through drive-by file handling — triggering code execution or data leaks without user interaction.

Microsoft addressed the issues across multiple patch releases, but organizations still need to validate patch coverage and harden systems parsing untrusted image content.

“This vulnerability could potentially allow a remote attacker to perform out-of-bounds read or write memory operations using a specially crafted EMF+ metafile,” said Check Point researchers about CVE-2025-30388.

Three GDI Flaws, One Big Risk

Check Point researchers discovered three distinct vulnerabilities in the Windows Graphics Device Interface (GDI) that affect how Windows handles Enhanced Metafile (EMF+) and related image formats.

CVE-2025-30388

The first vulnerability, CVE-2025-30388 was deemed more likely to be exploited, and involves an out-of-bounds read/write during EMF+ processing in functions such as EmfPlusDrawString, EmfPlusFillRects, and EmfPlusFillClosedCurve. 

The flaw stems from invalid rectangle (RECT) data introduced through the EmfPlusSetTSClip record, which corrupts memory when subsequent records are processed. 

The vulnerability was traced to functions like ScanOperation::AlphaMultiply_sRGB() in GdiPlus.dll, where improper validation allowed out-of-bounds access. 

Depending on the record sequence, attackers could achieve memory corruption or information disclosure. 

Microsoft addressed this issue by introducing new validation routines — ValidateAndSet() and IsRectValid() — to prevent malformed RECTs from being processed.

CVE-2025-53766

The second vulnerability, CVE-2025-53766, is a remote code execution (RCE) flaw caused by an out-of-bounds write in the ScanOperation::AlphaDivide_sRGB() function. 

This issue can be triggered using a specially crafted EmfPlusDrawRects record, which manipulates scan-line processing to exceed the boundaries of the target bitmap. 

Attackers could exploit this condition to write arbitrary data into restricted memory regions, potentially achieving RCE. 

Microsoft mitigated the weakness by modifying the EpScanBitmap::NextBuffer() function to limit scan-line requests to the image’s height, preventing buffer overruns and out-of-bounds access.

CVE-2025-47984

Finally, CVE-2025-47984 arises from an out-of-bounds read in the EMR_STARTDOC record handler. 

The underlying cause was found in the StringLengthWorkerW() function, which failed to properly validate string offsets, allowing reads beyond allocated buffers if the input string lacked a null terminator. 

This flaw was linked to an incomplete patch for a previous issue, CVE-2022-35837. 

Microsoft corrected the offset arithmetic in MRSTARTDOC::bPlay() so that pointer validation aligns with the actual data being referenced, closing the loophole that had persisted through earlier remediation efforts.

Collectively, these issues map to memory corruption and protection-mechanism failures that attackers can trigger using specially crafted EMF/EMF+ files delivered via web content, documents, or print paths. 

The attack complexity is moderate, but the ubiquity of parsing paths increases exposure, especially on systems rendering thumbnails or handling untrusted graphics.

Reduce Your Attack Surface

To reduce exposure to the Windows GDI vulnerabilities, organizations should take immediate and layered action. 

The following mitigations combine patch management, access control, monitoring, and user awareness to minimize both exploitation risk and potential impact.

• Patch and verify fixes: Apply all recent security updates across Windows and Office environments and confirm systems are fully updated.
• Limit automatic rendering: Disable or restrict automatic previewing, thumbnail generation, and legacy graphics features in high-risk workflows.
• Harden print and file handling: Restrict access to print and file operations, segment related servers, and enforce least privilege for users and services.
• Strengthen execution controls: Block unauthorized software from running and enable system-level exploit mitigations to prevent memory attacks.
• Enhance detection and isolation: Monitor for abnormal graphics activity, analyze crashes, and isolate untrusted files or media in secure environments.
• Filter and educate: Filter risky image formats at gateways, run regular vulnerability scans, and train users to recognize suspicious attachments.

By combining these mitigation strategies, organizations can reduce the likelihood of exploitation and strengthen overall cyber resilience. 

Old Code, New Risks

These vulnerabilities reveal a challenge in software security: how legacy graphics formats, automatic file parsing, and incomplete historical fixes can combine to reintroduce memory-safety flaws long after their initial discovery. 

For defenders, the message is clear — rigorous patch management for systems that handle untrusted content must be reinforced with layered defenses that limit damage when flaws resurface. 

These vulnerabilities underscore a core cybersecurity truth — trust should never be automatic, a principle that lies at the heart of zero-trust.