CVE-2023-38146
published 2023-09-12CVE-2023-38146: Windows Themes Remote Code Execution Vulnerability
PriorityP274high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
39.49%
98.4th percentile
Windows Themes Remote Code Execution Vulnerability
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_21h2 | < 10.0.22000.2416 | 10.0.22000.2416 |
| microsoft | windows_11_22h2 | < 10.0.22621.2275 | 10.0.22621.2275 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2416 | 10.0.22000.2416 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.2283 | 10.0.22621.2283 |
| msrc | windows_11_version_21h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_21h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect MSSTYLES files with PACKME_VERSION set to 999, which triggers the vulnerable DLL-loading code path ↗
- →Monitor for outbound SMB connections (UNC paths) initiated by the Windows theme/msstyles loading process (e.g., dwm.exe, explorer.exe) to external or unexpected hosts, which indicates exploitation via attacker-controlled SMB share ↗
- →Alert on .THEMEPACK (CAB archive) files delivered via email or web download, as they bypass Mark-of-the-Web warnings and auto-execute the contained theme ↗
- →Monitor for race condition exploitation pattern: a _vrf.dll file being read (signature check) and then replaced/swapped before execution load, particularly from UNC/SMB paths ↗
- ·Mark-of-the-Web (MotW) protection is NOT applied to .THEMEPACK files, meaning CAB-wrapped themes delivered from the web will not trigger the standard user warning ↗
- ·Exploitation requires the victim to load a Windows Themes file AND have network access to an attacker-controlled SMB share; blocking outbound SMB (port 445) at the perimeter reduces risk ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmqc-m76c-pmrm: Windows Themes Remote Code Execution Vulnerability
ghsa_unreviewed·2023-09-12
CVE-2023-38146 [HIGH] GHSA-qmqc-m76c-pmrm: Windows Themes Remote Code Execution Vulnerability
Windows Themes Remote Code Execution Vulnerability
Microsoft
Windows Themes Remote Code Execution Vulnerability
vendor_msrc·2023-09-12·CVSS 8.8
CVE-2023-38146 [HIGH] CWE-367 Windows Themes Remote Code Execution Vulnerability
Windows Themes Remote Code Execution Vulnerability
FAQ: How could an attacker exploit this vulnerability?
An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.
Windows Themes: Windows Themes
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5030217
Reference: https://support.microsoft.com/help/5030217
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5030219
Reference: https://support.microsoft.com/help/5030219
No detection rules found.
Bleepingcomputer
Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit
blogs_bleepingcomputer·2023-09-14·CVSS 8.8
CVE-2023-38146 [HIGH] Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit
## Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit
## Bill Toulas
Microsoft addressed CVE-2023-38146 two days ago in the September 2023 Patch Tuesday .
## ThemeBleed details
Kirkpatrick found the vulnerability while looking at "weird Windows file formats," one of them being .THEME for files used to customize the appearance of the operating system.
These files contain references to ‘.msstyles’ files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened.
The researcher noticed that when a version number “999” is used, the routine for handling the .MSSTYLES file includes a major discrepancy between the time a DLL’s (“_vrf.dll”) signature is verified and when the library loads, creating a race condition.
Using a
Bleepingcomputer
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
blogs_bleepingcomputer·2023-09-12·CVSS 6.5
[MEDIUM] Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
## Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
## Lawrence Abrams
3 Security Feature Bypass Vulnerabilities
24 Remote Code Execution Vulnerabilities
9 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
5 Edge - Chromium Vulnerabilities
The total count of 59 flaws does not include five Microsoft Edge (Chromium) vulnerabilities two non-Microsoft flaws in Electron and Autodesk.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates released.
## Two actively exploited zero-day vulnerabilities
This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks
CTF
ippsec-video-index
ctf_writeups·CVSS 8.6
[HIGH] ippsec-video-index
# IppSec HTB Video Index - Complete Reference
> The most comprehensive index of IppSec's HackTheBox video walkthroughs.
> Data sourced from [ippsec.rocks](https://ippsec.rocks) dataset, GitHub, and community resources.
> Last updated: 2026-04-10
## Stats
| Category | Count |
|----------|-------|
| HTB Machine Walkthroughs | 432 |
| UHC (Ultimate Hacking Championship) | 12 |
| HTB Sherlocks (DFIR) | 7 |
| VulnHub Machines | 4 |
| Tutorials / Methodology / Special | 61 |
| HTB Academy Modules | 17 |
| **Total Unique Content** | **533** |
| Total Searchable Entries (timestamps) | 9,245 |
## Key Resources
| Resource | URL |
|----------|-----|
| YouTube Channel | [youtube.com/ippsec](https://youtube.com/ippsec) |
| Searchable Video Index | [ippsec.rocks](https://ippsec.rocks) |
| GitHub |
2023-09-12
Published