Check Point Research discovered multiple vulnerabilities in Windows GDI related to EMF+ metafile processing that could allow out-of-bounds reads/writes and information disclosure, and reported them to Microsoft, which issued fixes in the May, July, and August 2025 Patch Tuesday updates. #CVE-2025-30388 #CVE-2025-53766 #CVE-2025-47984
Keypoints
- Check Point Research’s EMF+ fuzzing campaign found three GDI vulnerabilities in GdiPlus.dll and gdi32full.dll that were patched by Microsoft in 2025.
- CVE-2025-30388 (important, “Exploitation More Likely”) is a heap-based buffer overflow triggered by invalid RECT objects in EmfPlusSetTSClip leading to out-of-bounds memory access during EmfPlusDrawString/Fill operations.
- CVE-2025-53766 (critical) allows out-of-bounds writes via malformed EmfPlusDrawRects records and a failure to constrain requested scan-lines in EpScanBitmap::NextBuffer(), enabling remote exploitation without user interaction.
- CVE-2025-47984 (important) is an information disclosure bug in MRSTARTDOC::bPlay() / StringLengthWorkerW() caused by incorrect offset arithmetic and incomplete prior fixes, allowing over-reads of heap memory.
- Patches introduced input validation functions (ValidateAndSet/IsRectValid), scan-line bounds checks in EpScanBitmap::NextBuffer(), and corrected offset handling in MRSTARTDOC::bPlay().
- The vulnerabilities affect thumbnail generation and document/image rendering paths (including Office on Mac and Android), increasing the attack surface for remote or web-based vectors.
- The findings highlight that partial fixes can leave residual vulnerabilities and stress the need for comprehensive verification, continuous fuzzing, and vendor-researcher collaboration.
MITRE Techniques
- [T1204] Remote File Processing – Malicious EMF+ metafiles are processed by GDI/thumbnailing and rendering components, enabling remote exploitation via specially crafted files (“…using a specially crafted EMF+ metafile…”).
- [T1040] Network Sniffing / Information Disclosure (data from local system) – Leaking of heap memory via rendered filled rectangles in Word allows disclosure of memory contents (“…leaks memory and eventually Word is unexpectedly terminated… it can lead to information disclosure if an attacker can read back the rendered image…”).
- [T1222] Exploitation of Privilege/Trust – Parsing services (thumbnail generation, document rendering) accept attacker-crafted metafiles without privileges or user interaction, enabling remote code execution or memory corruption (“…requires no privileges or user interaction and can be exploited remotely over a network…”).
- [T1609] Software Component Vulnerability – Vulnerabilities stem from improper validation and bounds checking in GDI components (GdiPlus.dll and gdi32full.dll), e.g., invalid RECT validation and incorrect offset arithmetic (“…presence of invalid RECT objects…”,”…correcting the offset arithmetic…”).
Indicators of Compromise
- [CVE Identifiers] referenced vulnerabilities – CVE-2025-30388, CVE-2025-53766, CVE-2025-47984
- [File/Module Names] affected binaries and functions – GdiPlus.dll (ScanOperation::AlphaMultiply_sRGB, AlphaDivide_sRGB, EpScanBitmap::NextBuffer), gdi32full.dll (StringLengthWorkerW, MRSTARTDOC::bPlay)
- [KB Updates] Microsoft patch identifiers – KB5058411 (May 2025), KB5062553 (July 2025), KB5063878 (August 2025)
- [EMF+ Record Names] malicious record types used in PoCs – EmfPlusClear, EmfPlusDrawString, EmfPlusSetTSClip, EmfPlusFillRects, EmfPlusDrawRects, EMR_STARTDOC