cbcvebase.
CVE-2005-2123
published 2005-11-29

CVE-2005-2123: Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.08%
99.2th percentile
Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

filenameMS053.wmf
bytes
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6 01 00 09 00 00 03 ff ff ff 7f 00 00 ff ff ff ff 00 00
  • The vulnerability is in GDI32.DLL (Graphics Rendering Engine) via integer overflows in WMF/EMF parsing, specifically demonstrated through MRBP16::bCheckRecord; monitor for abnormal GDI32.DLL crashes or heap-based buffer overflows triggered by image rendering.
  • Malicious WMF file begins with magic bytes D7 CD C6 9A; scan email attachments, web downloads, and file shares for WMF files bearing this header combined with mtNoObjects=0x0000.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.