Microsoft GDI Vulnerabilities - RCE & Info Leak Patched

Check Point Research uncovered three GDI flaws in Windows that live in the rendering pipeline—any preview, thumbnail, or browser render can trigger them. What's nasty: CVE-2025-30388 (important severity, more likely exploited) and CVE-2025-53766 (critical RCE) both exploit crafted EMF+ metafiles to trigger out-of-bounds memory operations in GdiPlus.dll. CVE-2025-47984 is an info disclosure bug where specially crafted EMR_STARTDOC records can leak adjacent memory by forcing StringLengthWorkerW() to read past buffer boundaries. Microsoft patched these in May, July, and August 2025 Patch Tuesday releases. What's interesting: CVE-2025-47984 is actually an incomplete fix from CVE-2022-35837—the original patch only partially addressed the offset arithmetic issue, and CPR's fuzzing campaign caught it years later. The attack surface is huge: any Windows system that renders EMF/EMF+ content in browsers, preview handlers, imaging libraries, or thumbnail generation is vulnerable. Exploitation in CVE-2025-30388 lets attackers control the value written to memory via the EmfPlusARGB object's color field—meaning controlled out-of-bounds writes. Classic reminder that graphics parsers remain a durable attack surface across desktop and server deployments.