cbcvebase.
CVE-2019-0853
published 2019-04-09

CVE-2019-0853: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code…

PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
27.57%
97.8th percentile
A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit delivery via specially crafted document file — monitor for suspicious document opens that trigger GDI+ processing (e.g., EMF/WMF/image-embedded Office docs)
  • Exploit delivery via web — monitor for browser-initiated GDI+ object processing from untrusted sites, particularly image rendering triggered by user navigation
  • Successful exploitation results in full system control — monitor for unexpected child processes, new account creation, or privilege escalation following GDI+ image parsing
  • ·Exploit status at time of advisory: not publicly disclosed and not exploited in the wild — prioritize patching but no active threat campaign IOCs are available from these sources
  • ·Vulnerability is in the Windows GDI memory object handling — the attack surface includes any component that renders GDI+ content (browsers, Office, image viewers, email clients)

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.