Check Point Research discovered a vulnerability in the new Rust-based win32kbase_rs.sys Windows kernel component that could be triggered by malformed EMF/EMF+ metafiles to cause a SYSTEM_SERVICE_EXCEPTION (BSOD), and Microsoft remediated the issue in OS Build 26100.4202 via KB5058499. The bug arises from out-of-bounds behavior in region_from_path_mut() when processing EmfPlusDrawBeziers/pen data and was exploitable to crash user systems by drawing a crafted metafile (#win32kbase_rs.sys #EmfPlusDrawBeziers)
Keypoints
- CPR fuzzed Windows GDI/EMF+ with WinAFL and related tooling, finding multiple issues including a kernel panic triggered after extensive mutations.
- The crash manifested as a SYSTEM_SERVICE_EXCEPTION during NtGdiSelectClipPath in win32kbase_rs.sys (Rust-based kernel component) when processing malformed EMF+ records.
- A malformed EmfPlusDrawBeziers record combined with specific EmfPlusObject (pen) data produced a path geometry that caused out-of-bounds indexing in region_from_path_mut().
- Reproduction required many mutations (β380,000) but was made practical by modifying the harness to exfiltrate mutated samples to a remote server for analysis.
- Microsoft classified the issue as a moderate denial-of-service, fixed it in win32kbase_rs.sys version 10.0.26100.4202 (KB5058499) by adding bounds-hardened code (add_edge_new()) and a feature flag.
- The vulnerable component was not present on Windows Server builds; MSRC confirmed threat actors could craft metafiles to cause disruptive crashes across enterprise clients.
- CPR emphasizes that language choice (Rust) reduces some classes of bugs but does not eliminate design/logic errors or improper failure modes that can cause system-wide crashes.
MITRE Techniques
- [T1204] User Execution β Malicious metafiles are executed/displayed by user-level functions (Graphics::FromImage() / DrawImage()) which process attacker-controlled EMF+/EMF content, leading to a kernel panic: βthe BugCheck can be triggered by invoking the DrawImage() method on the Graphics object created from the Metafile.β
- [T1068] Exploitation for Privilege Escalation β (contextual) The vulnerability allows causing a system-wide crash from low-integrity user sessions by displaying crafted metafiles, disrupting systems: βthis works from low integrity within a standard user session and affects both x86 and x64 systems.β
- [T1609] Resource Hijacking/Denial-of-Service β Crafted metafiles cause SYSTEM_SERVICE_EXCEPTION/BSOD by triggering out-of-bounds in region_from_path_mut(), producing denial-of-service: ββ¦core::panicking::panic_bounds_check() and triggers a SYSTEM_SERVICE_EXCEPTION.β
Indicators of Compromise
- [File/Record ] crash-triggering EMF+ record β EmfPlusDrawBeziers with malformed PointData (example: a record containing 17 points while Count=4 as shown in Listing 4).
- [File/Record ] crafted Pen object fields β EmfPlusObject/EmfPlusPenData with anomalous PenWidth and OptionalData (example values: PenWidth = 0xFFFFFFEE, OptionalData StartCap=0x0000FC05).
- [Driver/Version ] vulnerable kernel module β win32kbase_rs.sys version 10.0.26100.3037 (fixed in 10.0.26100.4202 via KB5058499).
Read more: https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/