Windows GDI Flaws Expose Users to RCE and Data Loss

Sketchy Graphics: Windows GDI Flaws Open RCE and Data Loss

Check Point finds Windows GDI bugs enabling RCE and data leaks. Learn how Microsoft patched and how to protect your systems.

Written By
Ken Underhill
Ken Underhill
Nov 3, 2025
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Windows users received a trio of important graphics fixes this year after Check Point researchers uncovered vulnerabilities in the Graphics Device Interface (GDI) that could enable remote code execution (RCE) and information disclosure. 

GDI is widely used by Windows and third-party applications to render graphics, thumbnails, and print jobs. 

Because many systems automatically preview or render images, GDI flaws can be exploited through drive-by file handling — triggering code execution or data leaks without user interaction.

Microsoft addressed the issues across multiple patch releases, but organizations still need to validate patch coverage and harden systems parsing untrusted image content.

“This vulnerability could potentially allow a remote attacker to perform out-of-bounds read or write memory operations using a specially crafted EMF+ metafile,” said Check Point researchers about CVE-2025-30388.

Three GDI Flaws, One Big Risk

Check Point researchers discovered three distinct vulnerabilities in the Windows Graphics Device Interface (GDI) that affect how Windows handles Enhanced Metafile (EMF+) and related image formats.

CVE-2025-30388

The first vulnerability, CVE-2025-30388 was deemed more likely to be exploited, and involves an out-of-bounds read/write during EMF+ processing in functions such as EmfPlusDrawString, EmfPlusFillRects, and EmfPlusFillClosedCurve

The flaw stems from invalid rectangle (RECT) data introduced through the EmfPlusSetTSClip record, which corrupts memory when subsequent records are processed. 

The vulnerability was traced to functions like ScanOperation::AlphaMultiply_sRGB() in GdiPlus.dll, where improper validation allowed out-of-bounds access. 

Depending on the record sequence, attackers could achieve memory corruption or information disclosure. 

Microsoft addressed this issue by introducing new validation routines — ValidateAndSet() and IsRectValid() — to prevent malformed RECTs from being processed.

Advertisement

CVE-2025-53766

The second vulnerability, CVE-2025-53766, is a remote code execution (RCE) flaw caused by an out-of-bounds write in the ScanOperation::AlphaDivide_sRGB() function. 

This issue can be triggered using a specially crafted EmfPlusDrawRects record, which manipulates scan-line processing to exceed the boundaries of the target bitmap. 

Attackers could exploit this condition to write arbitrary data into restricted memory regions, potentially achieving RCE. 

Microsoft mitigated the weakness by modifying the EpScanBitmap::NextBuffer() function to limit scan-line requests to the image’s height, preventing buffer overruns and out-of-bounds access.

CVE-2025-47984

Finally, CVE-2025-47984 arises from an out-of-bounds read in the EMR_STARTDOC record handler. 

The underlying cause was found in the StringLengthWorkerW() function, which failed to properly validate string offsets, allowing reads beyond allocated buffers if the input string lacked a null terminator. 

This flaw was linked to an incomplete patch for a previous issue, CVE-2022-35837

Microsoft corrected the offset arithmetic in MRSTARTDOC::bPlay() so that pointer validation aligns with the actual data being referenced, closing the loophole that had persisted through earlier remediation efforts.

Collectively, these issues map to memory corruption and protection-mechanism failures that attackers can trigger using specially crafted EMF/EMF+ files delivered via web content, documents, or print paths. 

The attack complexity is moderate, but the ubiquity of parsing paths increases exposure, especially on systems rendering thumbnails or handling untrusted graphics.

Advertisement

Reduce Your Attack Surface

To reduce exposure to the Windows GDI vulnerabilities, organizations should take immediate and layered action. 

The following mitigations combine patch management, access control, monitoring, and user awareness to minimize both exploitation risk and potential impact.

  • Patch and verify fixes: Apply all recent security updates across Windows and Office environments and confirm systems are fully updated.
  • Limit automatic rendering: Disable or restrict automatic previewing, thumbnail generation, and legacy graphics features in high-risk workflows.
  • Harden print and file handling: Restrict access to print and file operations, segment related servers, and enforce least privilege for users and services.
  • Strengthen execution controls: Block unauthorized software from running and enable system-level exploit mitigations to prevent memory attacks.
  • Enhance detection and isolation: Monitor for abnormal graphics activity, analyze crashes, and isolate untrusted files or media in secure environments.
  • Filter and educate: Filter risky image formats at gateways, run regular vulnerability scans, and train users to recognize suspicious attachments.

By combining these mitigation strategies, organizations can reduce the likelihood of exploitation and strengthen overall cyber resilience. 

Old Code, New Risks

These vulnerabilities reveal a challenge in software security: how legacy graphics formats, automatic file parsing, and incomplete historical fixes can combine to reintroduce memory-safety flaws long after their initial discovery. 

For defenders, the message is clear — rigorous patch management for systems that handle untrusted content must be reinforced with layered defenses that limit damage when flaws resurface. 

These vulnerabilities underscore a core cybersecurity truth — trust should never be automatic, a principle that lies at the heart of zero-trust.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.