CVE-2025-50165
published 2025-08-12CVE-2025-50165: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.54%
87.8th percentile
Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11_24h2 | < 10.0.26100.4851 | 10.0.26100.4851 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.4946 | 10.0.26100.4946 |
| microsoft | windows_server_2025 | < 10.0.26100.4851 | 10.0.26100.4851 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.4946 | 10.0.26100.4946 |
| msrc | windows_11_version_24h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_24h2_for_x64-based_systems | — | — |
| msrc | windows_server_2025 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered during JPEG re-encoding (compression), not decoding. Monitor for crashes or anomalous behavior in WindowsCodecs.dll during image save/thumbnail creation operations, specifically when processing 12-bit or 16-bit precision JPG files. ↗
- →The crash occurs at jpeg_finish_compress+0xCC when dereferencing the uninitialized function pointer compress_data_12 (offset 0x10 of the pub structure). Use this offset as a crash triage signature. ↗
- →Flag applications that load vulnerable WindowsCodecs.dll versions 10.0.26100.0 through 10.0.26100.4768 and process JPEG images with data_precision set to 12 or 16 (non-standard 8-bit depth). ↗
- →The attack vector includes embedding a malicious JPEG inside Office documents or third-party files. Inspect Office documents for embedded JPEG streams with non-standard bit depth (12-bit or 16-bit precision). ↗
- →Exploitation requires heap spray and ROP techniques to control the instruction pointer after the uninitialized pointer dereference. Monitor for heap spray patterns in processes hosting WindowsCodecs.dll (e.g., Photos app, Office applications). ↗
- →The vulnerable function jpeg_finish_compress is called during thumbnail creation in the Microsoft Photos application. Monitor Photos.exe for crashes or anomalous memory access when processing JPEG files. ↗
- ·Simply opening/rendering a crafted JPG does not trigger the vulnerability; re-encoding (save or thumbnail generation) is required. The attack surface is narrower than a pure open-to-exploit scenario. ↗
- ·Microsoft rates exploitability as 'Less Likely' despite Critical severity. Exploitation additionally requires an address leak and sufficient heap control, making mass exploitation harder than initial reports suggested. ↗
- ·The patched WindowsCodecs.dll (10.0.26100.4946) does not fully align with the upstream libjpeg-turbo 3.1.1 fix (commit e0e18de); it only initializes compress_data_12 and compress_data_16 to a stub, without the broader zero-initialization and NULL-pointer checks introduced upstream. ↗
- ·Additional vulnerable code paths may exist in the decompression process (jdapistd.c) for applications that erroneously change data_precision after calling jpeg_start_decompress, though this scenario is considered unlikely via the Windows Imaging Component API. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Graphics Component Remote Code Execution Vulnerability
vendor_msrc·2025-08-12·CVSS 9.8
CVE-2025-50165 [CRITICAL] CWE-822 Windows Graphics Component Remote Code Execution Vulnerability
Windows Graphics Component Remote Code Execution Vulnerability
Description: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
FAQ: According to the CVSS metric, attack vector is (AV:N) and user interaction is none (UI:N). What does that mean for this vulnerability?
This can happen without user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files
FAQ: How could an attacker exploit the vulnerability?
An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction.
Microsoft Graphics Component: Microsoft Graphics Component
Microsoft: Microsoft
GHSA
GHSA-j5q9-ffgr-33m9: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network
ghsa_unreviewed·2025-08-12
CVE-2025-50165 [CRITICAL] CWE-822 GHSA-j5q9-ffgr-33m9: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network
Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
No detection rules found.
No public exploits indexed.
Eset
Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component
blogs_eset·2025-12-22·CVSS 9.8
CVE-2025-50165 [CRITICAL] Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component
Award-winning news, views, and insight from the ESET security community
ESET Research
## Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component
A comprehensive analysis and assessment of a critical severity vulnerability with low likelihood of mass exploitation
Romain Dumont
22 Dec 2025 • , 8 min. read
ESET researchers examined CVE‑2025‑50165, a serious Windows vulnerability described to grant remote code execution by merely opening a specially crafted JPG file – one of the most widely used image formats. The flaw, found and documented by Zscaler ThreatLabz, piqued our interest, as Microsoft assessed its severity as critical but deemed its exploitability as less likely. Our root cause analysis allowed us to pinpoint the exact location of the faulty code and reprodu
Zscaler
Rethinking Cybersecurity in Education: A Vision for Secure Learning with Zero Trust | Zscaler
blogs_zscaler·2025-12-16
Rethinking Cybersecurity in Education: A Vision for Secure Learning with Zero Trust | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz
blogs_zscaler·2025-11-20·CVSS 9.8
[CRITICAL] CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Krebs
Microsoft Patch Tuesday, August 2025 Edition
blogs_krebs·2025-08-12·CVSS 7.2
CVE-2025-53786 [HIGH] Microsoft Patch Tuesday, August 2025 Edition
Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.
August’s patch batch from Redmond includes an update for CVE-2025-53786 , a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019 , as well as its flagship Exchange Serv
Bleepingcomputer
Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws
blogs_bleepingcomputer·2025-08-12·CVSS 7.2
[HIGH] Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws
## Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws
## Lawrence Abrams
44 Elevation of Privilege Vulnerabilities
35 Remote Code Execution Vulnerabilities
18 Information Disclosure Vulnerabilities
4 Denial of Service Vulnerabilities
9 Spoofing Vulnerabilities
When BleepingComputer reports on the Patch Tuesday security updates, we only count those released on Patch Tuesday. Therefore, the number of flaws does not include Mariner, Azure, and Microsoft Edge bugs fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5063878 & KB5063875 cumulative updates and the Windows 10 KB5063709 cumulative update .
## One publicly disclosed zero-day fixed
This month's Patch Tuesday fixes one
Qualys
Microsoft and Adobe Patch Tuesday, August 2025 Security Update Review | Qualys
blogs_qualys·2025-08-12
Microsoft and Adobe Patch Tuesday, August 2025 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for August 2025
- Adobe Patches for August 2025
- Zero-day Vulnerability Patched in August Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched in August Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response withPatch Management (PM)
- Microsoft July 2025 Patch Tuesday Mitigations
- Qualys Monthly Webinar Series
It’s the second Tuesday of August, and Microsoft has rolled out its latest security updates. Microsoft’s August 2025 Patch Tuesday has arrived, bringing a fresh wave of security fixes to help organizations stay ahead of evolving threats. Here’s a quick breakdown of wh
Talos
Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-08-12·CVSS 7.8
[HIGH] Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 "critical" entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.
CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type ('type confusion') in Grap
Talos
Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
blogs_talos·2025-08-12·CVSS 7.8
[HIGH] Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 "critical" entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.
CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type ('type confusion') in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted t
Krebs
Microsoft Patch Tuesday, August 2025 Edition
blogs_krebs·2025-08-12·CVSS 7.2
CVE-2025-53786 [HIGH] Microsoft Patch Tuesday, August 2025 Edition
Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.
August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server
Qualys
Microsoft and Adobe Patch Tuesday, August 2025 Security Update Review
blogs_qualys·2025-08-12
Microsoft and Adobe Patch Tuesday, August 2025 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for August 2025
Adobe Patches for August 2025
Zero-day Vulnerability Patched in August Patch Tuesday Edition
Critical Severity Vulnerabilities Patched in August Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response withPatch Management (PM)
Microsoft July 2025 Patch Tuesday Mitigations
Qualys Monthly Webinar Series
It’s the second Tuesday of August, and Microsoft has rolled out its latest security updates. Microsoft’s August 2025 Patch Tuesday has arrived, bringing a fresh wave of security fixes to help organizations stay ahead of evolving threats. Here’s a quick breakdown of what you need t
Crowdstrike
August 2025 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] August 2025 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Eset
Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component
blogs_eset·CVSS 9.8
CVE-2025-50165 [CRITICAL] Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component
ESET researchers examined CVE‑2025‑50165, a serious Windows vulnerability described to grant remote code execution by merely opening a specially crafted JPG file – one of the most widely used image formats. The flaw, found and documented by Zscaler ThreatLabz, piqued our interest, as Microsoft assessed its severity as critical but deemed its exploitability as less likely. Our root cause analysis allowed us to pinpoint the exact location of the faulty code and reproduce the crash. We believe that the exploitation scenario is harder than it appears to be.
> Key points of this blogpost:
>
> - ESET researchers offer a deep dive analysis of the CVE‑2025‑50165 vulnerability, illustrated with pseudocode snippets.
> - We provide our method to reproduce the crash using a simple 12-bit or 16-bit JP
Zscaler
CXO Monthly Roundup, November 2025: React2Shell, insights into how Zscaler Deception fights AI-driven threats, vulnerabilities uncovered by ThreatLabz, and Water Gamayun APT attack analysis | CXO Revo
blogs_zscaler·CVSS 10.0
[CRITICAL] CXO Monthly Roundup, November 2025: React2Shell, insights into how Zscaler Deception fights AI-driven threats, vulnerabilities uncovered by ThreatLabz, and Water Gamayun APT attack analysis | CXO Revo
## CXO Monthly Roundup, November 2025: React2Shell, insights into how Zscaler Deception fights AI-driven threats, vulnerabilities uncovered by ThreatLabz, and Water Gamayun APT attack analysis
Deepen Desai
Contributor
Zscaler
## Dec 12, 2025
Highlights from the Zscaler ThreatLabz team's November 2025 research.
The CXO Monthly Roundup provides the latest Zscaler ThreatLabz research and critical updates, featuring coverage of the React2Shell vulnerability, insights into how Zscaler Deception fights AI-driven threats, key discoveries from Zscaler threat analysis, a detailed examination of a Water Gamayun APT attack, and the latest threat intelligence on DanaBot and TransferLoader.
## React2Shell (CVE-2025-55182) vulnerability
We will begin by examining an urgent and critical security
2025-08-12
Published