cbcvebase.
CVE-2023-38146
published 2023-09-12

CVE-2023-38146: Windows Themes Remote Code Execution Vulnerability

PriorityP274high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
39.49%
98.4th percentile
Windows Themes Remote Code Execution Vulnerability

Affected

8 ranges
VendorProductVersion rangeFixed in
microsoftwindows_11_21h2< 10.0.22000.241610.0.22000.2416
microsoftwindows_11_22h2< 10.0.22621.227510.0.22621.2275
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.241610.0.22000.2416
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.228310.0.22621.2283
msrcwindows_11_version_21h2_for_arm64-based_systems
msrcwindows_11_version_21h2_for_x64-based_systems
msrcwindows_11_version_22h2_for_arm64-based_systems
msrcwindows_11_version_22h2_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

filename_vrf.dll
filename.msstyles
filename.THEMEPACK
  • Detect MSSTYLES files with PACKME_VERSION set to 999, which triggers the vulnerable DLL-loading code path
  • Monitor for outbound SMB connections (UNC paths) initiated by the Windows theme/msstyles loading process (e.g., dwm.exe, explorer.exe) to external or unexpected hosts, which indicates exploitation via attacker-controlled SMB share
  • Alert on .THEMEPACK (CAB archive) files delivered via email or web download, as they bypass Mark-of-the-Web warnings and auto-execute the contained theme
  • Monitor for race condition exploitation pattern: a _vrf.dll file being read (signature check) and then replaced/swapped before execution load, particularly from UNC/SMB paths
  • ·Mark-of-the-Web (MotW) protection is NOT applied to .THEMEPACK files, meaning CAB-wrapped themes delivered from the web will not trigger the standard user warning
  • ·Exploitation requires the victim to load a Windows Themes file AND have network access to an attacker-controlled SMB share; blocking outbound SMB (port 445) at the perimeter reduces risk

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.