Security researchers have identified a series of vulnerabilities within Microsoft’s Windows Graphics Device Interface (GDI), a foundational component responsible for rendering everything from text to images. These newly discovered flaws could open the door for attackers to execute malicious code remotely or access sensitive information across a broad spectrum of Windows systems.
Check Point Research (CPR) brought these issues to light, pointing to weaknesses in key GDI libraries, GdiPlus.dll and gdi32full.dll. Microsoft has since rolled out patches for these problems during its monthly Patch Tuesday updates in May, July, and August of 2025.
The findings stem from CPR’s dedicated efforts, specifically a “fuzzing” campaign that meticulously tested Enhanced Metafile (EMF) and EMF+ formats. This intensive scrutiny uncovered three distinct vulnerabilities, broadening our understanding of potential attack vectors within Windows’ graphics processing capabilities. The core issue revolves around how these systems handle malformed or untrusted graphic content, potentially leading to memory corruption. This discovery builds upon previous work on system security, similar to how researchers uncover new TEE.fail side-channel attacks compromising trusted execution environments.
CVE-2025-30388: Memory Read/Write Errors
One vulnerability, designated CVE-2025-30388, is rated “important” and seen as having a higher likelihood of exploitation. This flaw resides in GdiPlus.dll and involves memory read/write errors. It can be triggered when specially crafted EMF+ metafiles manipulate invalid rectangle objects during text rendering. An attacker might control values written to memory by influencing color components in EmfPlusClear records, potentially causing a heap-based buffer overflow. Microsoft addressed this in May 2025 through KB5058411, adding validation checks for RECT objects. Notably, this particular issue also impacts Microsoft Office products on Mac and Android, according to Check Point Research.
CVE-2025-53766: Remote Code Execution
Another, more critical vulnerability, CVE-2025-53766, allows for remote code execution. This “critical” flaw in GdiPlus.dll involves improper scan-line bounds checks during thumbnail generation. An attacker could craft EmfPlusDrawRects records within an EMF+ metafile, pushing scan positions beyond a bitmap’s allocated boundaries. This exploit requires no special privileges or user interaction and can be carried out remotely, posing a significant risk to any web services that process metafiles. Microsoft released a fix for this in August 2025 through KB5063878, ensuring that requested scan-lines stay within bitmap boundaries. Such vulnerabilities underscore the ongoing challenge of securing widely used operating systems, a challenge also seen when Chinese state-linked groups exploit Windows zero-days.
CVE-2025-47984: Information Disclosure
The third vulnerability, CVE-2025-47984, is an “important” information disclosure issue found in gdi32full.dll. It relates to incorrect string handling during the setup of print jobs. This flaw is actually a partial fix for an older vulnerability (CVE-2022-35837), illustrating the complexities of fully patching security holes. The problem arises when the StringLengthWorkerW() function, meant to check user-controlled data length, expects null-terminated strings. If a string isn’t properly terminated, the function can read beyond its buffer, potentially exposing heap data. Microsoft provided a fix for this in July 2025 via KB5062553, adjusting offset calculations to ensure string validation aligns with the referenced data.
These revelations underscore the persistent security challenges inherent in complex graphics pipelines. As Check Point Research aptly observed, “introducing a vulnerability is often easy, fixing it can be difficult, and verifying that a fix is both thorough and effective is even more challenging.” For all Windows users, continuous vigilance and prompt application of security updates remain paramount in mitigating these potential risks, ensuring protection against memory corruption and remote code execution.