CVE-2025-50165 in WIC: flaw details and exploit odds

ESET Research revisits CVE-2025-50165, a critical Windows Imaging Component issue in WindowsCodecs.dll initially framed as remote code execution via a crafted JPG. Their analysis shows the vulnerability is tied to JPEG re-encoding of non‑standard bit depths (12/16-bit), not routine image viewing, aligning with Microsoft’s assessment that mass exploitation is less likely.

Key takeaways:

• The bug resides in WindowsCodecs.dll’s JPEG encoding path (jpeg_finish_compress), not the decoding path.
• Two precision-specific function pointers (compress_data_12 and compress_data_16) were left uninitialized, causing a crash when re-encoding 12- or 16-bit JPEGs.
• Trigger conditions are uncommon in everyday workflows; simple opening/rendering of an image is insufficient.
• Exploitation would require an address leak and heap control, further reducing real-world risk.

What actually breaks:

• Affected builds of WindowsCodecs.dll (10.0.26100.0 up to, but not including, 10.0.26100.4946) use libjpeg-turbo 3.0.2 code paths where compress_data_12/16 are never set.
• When data_precision is 12 or 16 and jpeg_finish_compress is reached (e.g., re-saving an image or generating a thumbnail), an uninitialized function pointer is dereferenced, causing a crash.

Patch and code lineage:

• Microsoft’s patched build (10.0.26100.4946) initializes these pointers via jinit_c_rawtranscode_coef_controller_turbo to rawtranscode_compress_output_16.
• The upstream libjpeg-turbo project fixed similar issues in version 3.1.1 (commit e0e18de), adding zero-initialization and NULL checks. Newer WindowsCodecs.dll versions incorporate these safeguards.

Reproduction (high level):

• Using Microsoft’s WIC JPEG re-encode sample with a 12-bit or 16-bit JPEG triggers the crash in vulnerable builds. Debugging shows classic uninitialized heap markers, confirming the uninitialized pointer path.

Who is actually at risk:

• Applications that: (1) rely on a vulnerable WindowsCodecs.dll version, (2) can successfully decode 12-/16-bit JPEGs, and (3) re-encode images (including thumbnail generation).
• Simply viewing a JPG does not trigger the bug; the encode path must run.

Exploitability outlook:

• Although rated critical, practical exploitation is constrained by the need for precision-specific images, a re-encoding step, and additional primitives (address leak, heap manipulation). ESET’s and Microsoft’s conclusions align: widespread exploitation is unlikely.

What to do now:

• Apply the latest Windows updates and verify WindowsCodecs.dll is patched (≥ 10.0.26100.4946 or newer builds that adopt libjpeg-turbo 3.1.1 mitigations).
• Avoid unnecessary re-encoding of high bit-depth JPEGs in unpatched environments.
• Keep third-party libraries current and review image-processing code paths that may implicitly re-encode (e.g., thumbnailers).

Bottom line: CVE-2025-50165 is a real flaw in WIC’s JPEG encoding path for 12/16-bit images, but its exploitability in the wild appears low given the specific conditions and required attacker control.

Source: WeLiveSecurity