Zscaler ThreatLabz uncovered CVE-2025-50165 in May 2025, a critical remote code execution flaw in the Windows Graphics Component with a CVSS score of 9.8.
This untrusted-pointer dereference in windowscodecs.dll affects apps like Microsoft Office that process images, enabling attackers to trigger it via a malicious JPEG embedded in documents.
Opening such a file allows complete system takeover without user interaction beyond rendering the image.
Microsoft patched the issue on August 12, 2025, during Patch Tuesday, targeting Windows 11 24H2 and Windows Server 2025.
The flaw stems from dereferencing uninitialized memory at windowscodecs!jpeg_finish_compress+0xcc, identifiable by the c0c0c0c0c0c0c0c0 pattern in WinDbg dumps.
Heap spraying allows attackers to control this pointer, leading to instruction pointer hijacking via functions such as CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource.
ThreatLabz found the bug through fuzzing at GpReadOnlyMemoryStream::InitFile line 51, replacing FileSize with MutatedBufferSize to corrupt MapViewOfFile buffers.
Exploitation involves allocating 0x3ef7-byte heap chunks with ROP chains, freeing some for reuse, triggering the dereference, and pivoting the stack to the chain for VirtualAlloc of RWX memory.
ROP gadgets like mov dword [rax], rcx write shellcode, then jump to it; 32-bit lacks CFG, but 64-bit needs bypass.
Their PoC app lets users spray heap (options 1-2), process Base64 JPEG (option 3) using WIC decoder code, and exit, showing RIP control as in their demo video.
Users must update to patched builds immediately, as this integral component risks all unpatched Windows setups.
Zscaler deployed protections, but timely patching remains key against weaponized JPEGs in emails or files.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…