cbcvebase.
CVE-2013-3174
published 2013-07-10

CVE-2013-3174: DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.98%
98.1th percentile
DirectShow in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows remote attackers to execute arbitrary code via a crafted GIF file, aka "DirectShow Arbitrary Memory Overwrite Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

pathC:\WINDOWS\system32\qedit.dll
processqedit!CImgGif::ReadImage+0x288
  • The vulnerability is triggered by a specially crafted GIF file opened via DirectShow (e.g., via Media Player Classic). Hunt for GIF files being processed by qedit.dll's CImgGif::ReadImage function, particularly where the NW corner frame offset (file position 0x32C) and Global Color Table (file position 0x307) contain attacker-controlled values.
  • Monitor for access violations (code c0000005) originating from qedit.dll at CImgGif::ReadImage+0x288 (address 60864094 on XP SP3), which indicates exploitation of this memory overwrite vulnerability.
  • The exploit writes an attacker-controlled value (eax=ff414141) to an attacker-controlled memory address (edx=fea57028) via a mov dword ptr [edx],eax instruction inside qedit.dll. Detection should focus on anomalous GIF files causing qedit.dll to perform out-of-bounds writes.
  • ·Exploitation was confirmed on Windows XP SP3 and Windows 7 SP1 Spanish version only; behavior (module base addresses, crash offsets) may differ across other affected OS versions and locales.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.