Critical RCE Vulnerability in Windows Imaging Component (CVE-2025-50165)
A critical vulnerability, CVE-2025-50165, was discovered in the Windows Imaging Component (WIC), specifically within the WindowsCodecs.dll library. The flaw arises from the dereferencing of an uninitialized function pointer during the compression and re-encoding of JPEG images with 12-bit or 16-bit color depth, rather than during standard image decoding or rendering. Security researchers from ESET and Zscaler have analyzed the vulnerability, confirming that it could potentially allow remote code execution if a specially crafted JPEG file is processed by a vulnerable application that performs re-encoding, such as during thumbnail creation.
Despite the initial classification as a critical remote code execution risk, further technical analysis indicates that real-world exploitation is significantly constrained. Successful exploitation requires a precise set of conditions: the target application must use a vulnerable version of WindowsCodecs.dll and must re-encode, not just display, a malicious JPEG file. Simply opening or viewing a crafted image is insufficient to trigger the vulnerability, reducing the likelihood of mass exploitation. Microsoft has released a patch, and security experts recommend applying it, but the practical risk is lower than originally feared due to the complexity of the attack scenario.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Active Exploitation of Windows Cloud Files Mini Filter Driver and WinRAR Vulnerabilities
Microsoft released security updates addressing 56 vulnerabilities across its Windows platform, including a critical use-after-free flaw in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221) that has been actively exploited in the wild. This vulnerability allows local attackers to escalate privileges to SYSTEM level, posing a significant risk to Windows systems, especially those using cloud storage features like OneDrive, Google Drive, or iCloud. The December 2025 Patch Tuesday also included fixes for other critical and important vulnerabilities, with Microsoft having patched over 1,000 CVEs for the second consecutive year. CISA has added both CVE-2025-62221 and CVE-2025-5618 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation and the urgent need for remediation. CVE-2025-5618 is a directory traversal remote code execution vulnerability in WinRAR, allowing attackers to craft malicious archives that bypass directory restrictions and execute arbitrary code upon extraction. Both vulnerabilities are being leveraged in real-world attacks, prompting federal agencies and organizations to prioritize patching to prevent persistence, lateral movement, and data exfiltration by threat actors.
3 months ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
1 months agoActive Exploitation of Windows Kernel Privilege Escalation Vulnerability CVE-2025-62215
Microsoft has disclosed a critical elevation-of-privilege vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is being actively exploited in the wild. The flaw arises from a race condition and improper memory management, specifically a double-free scenario, allowing local attackers to escalate privileges to SYSTEM level. Exploitation requires an attacker to already have access to the system, but no user interaction is needed, and the attack can be automated. Microsoft has rated the vulnerability as Important, with a CVSS score of 7.0, and notes that all supported Windows 10 editions are affected, including those under Extended Security Updates (ESU). No workaround is available other than applying the official update, and immediate patching is strongly recommended. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), making it a classic post-compromise privilege escalation vector. Attackers can exploit the timing-sensitive memory corruption path in the kernel to gain elevated access, disable security defenses, and move laterally within networks. The attack surface is particularly concerning in enterprise environments where multiple users share access, as any authenticated user can potentially trigger the exploit. Security experts warn that both targeted threat actors and ransomware operators may leverage this flaw to deepen their foothold after initial access, emphasizing the urgency of deploying the security update across all affected systems.
4 months ago