cbcvebase.
CVE-2025-50165
published 2025-08-12

CVE-2025-50165: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.54%
87.8th percentile
Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftwindows_11_24h2< 10.0.26100.485110.0.26100.4851
microsoftwindows_11_version_24h2>= 10.0.26100.0 < 10.0.26100.494610.0.26100.4946
microsoftwindows_server_2025< 10.0.26100.485110.0.26100.4851
microsoftwindows_server_2025>= 10.0.26100.0 < 10.0.26100.494610.0.26100.4946
msrcwindows_11_version_24h2_for_arm64-based_systems
msrcwindows_11_version_24h2_for_x64-based_systems
msrcwindows_server_2025

Detection & IOCsextracted from sources · hover to see the quote

filenameWindowsCodecs.dll
hash5887D96565749067564BABCD3DC5D107AB6666BD
urlhttps://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5063878
urlhttps://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5064010
  • The vulnerability is triggered during JPEG re-encoding (compression), not decoding. Monitor for crashes or anomalous behavior in WindowsCodecs.dll during image save/thumbnail creation operations, specifically when processing 12-bit or 16-bit precision JPG files.
  • The crash occurs at jpeg_finish_compress+0xCC when dereferencing the uninitialized function pointer compress_data_12 (offset 0x10 of the pub structure). Use this offset as a crash triage signature.
  • Flag applications that load vulnerable WindowsCodecs.dll versions 10.0.26100.0 through 10.0.26100.4768 and process JPEG images with data_precision set to 12 or 16 (non-standard 8-bit depth).
  • The attack vector includes embedding a malicious JPEG inside Office documents or third-party files. Inspect Office documents for embedded JPEG streams with non-standard bit depth (12-bit or 16-bit precision).
  • Exploitation requires heap spray and ROP techniques to control the instruction pointer after the uninitialized pointer dereference. Monitor for heap spray patterns in processes hosting WindowsCodecs.dll (e.g., Photos app, Office applications).
  • The vulnerable function jpeg_finish_compress is called during thumbnail creation in the Microsoft Photos application. Monitor Photos.exe for crashes or anomalous memory access when processing JPEG files.
  • ·Simply opening/rendering a crafted JPG does not trigger the vulnerability; re-encoding (save or thumbnail generation) is required. The attack surface is narrower than a pure open-to-exploit scenario.
  • ·Microsoft rates exploitability as 'Less Likely' despite Critical severity. Exploitation additionally requires an address leak and sufficient heap control, making mass exploitation harder than initial reports suggested.
  • ·The patched WindowsCodecs.dll (10.0.26100.4946) does not fully align with the upstream libjpeg-turbo 3.1.1 fix (commit e0e18de); it only initializes compress_data_12 and compress_data_16 to a stub, without the broader zero-initialization and NULL-pointer checks introduced upstream.
  • ·Additional vulnerable code paths may exist in the decompression process (jdapistd.c) for applications that erroneously change data_precision after calling jpeg_start_decompress, though this scenario is considered unlikely via the Windows Imaging Component API.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.