A serious remote code execution flaw in Microsoft’s Windows Graphics Component allows attackers to take control of a device using a specially crafted JPEG image.
Rated 9.8 on the CVSS scale, this vulnerability is extremely dangerous because it can be exploited without any user interaction.
All about the vulnerability
The flaw was discovered in May 2025 and patched by Microsoft on August 12, 2025. It comes from an untrusted pointer dereference in the windowscodecs.dll file, which is responsible for core image processing.
Attackers can hide a malicious JPEG inside common files such as Microsoft Office documents. When the file is opened or even previewed, the system can be silently compromised.
This issue shows the risks that still exist in older graphics-handling components, where something as simple as decoding an image can lead to a full system takeover. Since Windows is used on billions of devices, unpatched machines remain highly vulnerable to phishing attacks and drive-by downloads.
Zscaler ThreatLabz discovered the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on how JPEG images are encoded and decoded within windowscodecs.dll.
The entry point for exploitation is in the GpReadOnlyMemoryStream::InitFile function. By manipulating buffer sizes, attackers can take control of memory snapshots during file mapping.
Fuzzing tests uncovered a crash caused by an uninitialized pointer at jpeg_finish_compress+0xcc, allowing user-controlled data to be accessed through heap spraying.
Debugging with WinDbg showed stack traces involving functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming that the flaw lies in JPEG metadata handling.
This uninitialized resource bug allows attackers to run code remotely without needing special permissions. Microsoft confirmed that the issue affects automatic image rendering in applications that rely on the Windows Graphics Component.
Affected Versions and Patch Information
| Product | Impacted Version | Patched Version |
|---|---|---|
| Windows Server 2025 | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows 11 Version 24H2 (x64) | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows 11 Version 24H2 (ARM64) | 10.0.26100.4851 | 10.0.26100.4946 |
| Windows Server 2025 (Core) | 10.0.26100.4851 | 10.0.26100.4946 |
Zscaler’s proof-of-concept shows how attackers can manipulate memory by using an app that allocates, frees, and processes Base64-encoded JPEG files, eventually gaining control over the instruction pointer.
There are no known real-world attacks yet, but the low skill needed and the broad attack surface make this vulnerability attractive to ransomware groups and espionage actors. On 32-bit systems, the risk is even higher because Control Flow Guard is disabled by default.
Users should install the August 2025 Patch Tuesday updates as soon as possible, especially on critical systems. It also helps to disable automatic image previews in email clients and restrict untrusted files to sandboxed environments. Zscaler has already deployed cloud-level defenses to detect and block any exploit attempts.
This case highlights the risks of outdated graphics libraries in enterprise environments, where JPEG files are used everywhere. Although no active exploitation has been observed, quick patching and cautious file handling remain the best protection against these image-based attacks.
Leave A Comment