Zscaler ThreatLabz uncovered CVE-2025-50165 in May 2025, a critical remote code execution flaw in the Windows Graphics Component with a CVSS score of 9.8.
This untrusted-pointer dereference in windowscodecs.dll affects apps like Microsoft Office that process images, enabling attackers to trigger it via a malicious JPEG embedded in documents.
Opening such a file allows complete system takeover without user interaction beyond rendering the image.
Microsoft patched the issue on August 12, 2025, during Patch Tuesday, targeting Windows 11 24H2 and Windows Server 2025.
The flaw stems from dereferencing uninitialized memory at windowscodecs!jpeg_finish_compress+0xcc, identifiable by the c0c0c0c0c0c0c0c0 pattern in WinDbg dumps.
Heap spraying allows attackers to control this pointer, leading to instruction pointer hijacking via functions such as CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource.
Technical Breakdown and Mitigation
ThreatLabz found the bug through fuzzing at GpReadOnlyMemoryStream::InitFile line 51, replacing FileSize with MutatedBufferSize to corrupt MapViewOfFile buffers.
Exploitation involves allocating 0x3ef7-byte heap chunks with ROP chains, freeing some for reuse, triggering the dereference, and pivoting the stack to the chain for VirtualAlloc of RWX memory.
ROP gadgets like mov dword [rax], rcx write shellcode, then jump to it; 32-bit lacks CFG, but 64-bit needs bypass.
Their PoC app lets users spray heap (options 1-2), process Base64 JPEG (option 3) using WIC decoder code, and exit, showing RIP control as in their demo video.
Users must update to patched builds immediately, as this integral component risks all unpatched Windows setups.
Zscaler deployed protections, but timely patching remains key against weaponized JPEGs in emails or files.
