High

Analysis Summary

Multiple high-severity vulnerabilities have been uncovered in Microsoft’s Graphics Device Interface (GDI), a fundamental component responsible for rendering graphics across Windows operating systems. Discovered by a Researcher through an extensive fuzzing campaign targeting Enhanced Metafile (EMF) formats, these flaws allow remote attackers to execute arbitrary code or steal sensitive information. The vulnerabilities, which affect both Windows and Office products, highlight persistent security risks in legacy graphical subsystems that have evolved through decades of Windows versions. Microsoft has since issued patches across multiple Patch Tuesday updates in 2025, yet the discoveries emphasize the continuing challenge of securing deeply embedded graphics components.

The core of these issues lies in GDI’s improper handling of EMF+ record structures used in documents and images processed by applications such as Microsoft Office and modern web browsers. Attackers can exploit these flaws by tricking users into opening malicious files, like booby-trapped Word documents or image thumbnails, potentially resulting in full system compromise without direct user interaction. Researcher’s technical analysis attributes the root cause to invalid rectangle object handling, buffer overflows, and incomplete prior fixes, revealing that even minor input validation oversights in core system libraries can escalate to severe compromise scenarios.

Among the disclosed flaws, CVE-2025-30388 (CVSS High) allows remote code execution and data leakage through out-of-bounds memory operations during EMF+ record processing, impacting Windows 10, 11, and Office for Mac and Android. The most critical, CVE-2025-53766 (CVSS High), enables attackers to perform out-of-bounds writes within the ScanOperation::AlphaDivide_sRGB function by manipulating oversized rectangle data in EMF records, leading to full remote code execution without requiring privileges. Another flaw, CVE-2025-47984 CVSS High, involves information disclosure due to incomplete patching of a previous vulnerability (CVE-2022-35837), resulting in over-reads that can expose sensitive heap memory information and assist in further exploitation attempts.

Microsoft has remediated these vulnerabilities via updates to GdiPlus.dll and gdi32full.dll, introducing enhanced validation for rectangle sizes, scan-line boundaries, and offset calculations to mitigate overflow risks. Users are strongly advised to apply the latest security updates (KB5058411, KB5063878, and KB5062553) and enable automatic patching. The researcher further recommends disabling EMF rendering in untrusted environments, using sandboxed document viewers, and monitoring for abnormal graphic-related activities within enterprise systems. These findings underscore the growing security implications of legacy file parsing mechanisms, particularly as remote work and cloud-based workflows continue to expand the attack surface for organizations worldwide.

Impact

• Sensitive Data Theft
• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-30388
• CVE-2025-53766
• CVE-2025-47984

Remediation

• Apply Microsoft’s latest security patches immediately.
• Ensure automatic updates are enabled on all Windows and Office systems to receive future security fixes promptly.
• Update GdiPlus.dll and gdi32full.dll to the patched versions that include enhanced input validation for rectangles, scan-lines, and offset calculations.
• Disable EMF rendering in untrusted or external file contexts, especially in email attachments, shared drives, and third-party document viewers.
• Use sandboxed or isolated document viewers (e.g., virtualized environments or Protected View in Office) when opening unknown or untrusted documents and images.
• Implement file content filtering on email gateways and web proxies to block or quarantine EMF and EMF+ files from unverified sources.
• Monitor for abnormal graphics-related behavior such as crashes, unexpected GDI process activity, or suspicious memory access in applications using image rendering.
• Conduct endpoint scanning for malicious or corrupted EMF files across network shares, mail servers, and local storage.
• Enforce least privilege principles to limit the impact of potential exploitation, ensuring users lack unnecessary administrative rights.