Critical Windows Vulnerability (CVE-2025-50165) Exploits JPG Encoding Flaw for Remote Code Execution
Researchers at ESET conducted a deep-dive analysis of CVE-2025-50165, a critical Windows vulnerability discovered by Zscaler ThreatLabz in November 2025. The flaw, rated as high-impact by Microsoft, enables remote code execution (RCE) when a user processes a specially crafted 12-bit or 16-bit JPG image—a scenario initially deemed unlikely by Microsoft due to perceived exploit complexity.
Vulnerability Overview
The bug resides in WindowsCodecs.dll, a core Windows library handling image formats like JPG, PNG, and GIF. Unlike typical image-parsing vulnerabilities (which occur during decoding), this flaw manifests during JPG compression and re-encoding, specifically in the jpeg_finish_compress function. The issue stems from an uninitialized function pointer dereference in the libjpeg-turbo library (version 3.0.2), which WindowsCodecs.dll integrates.
Root Cause & Exploitation Path
ESET’s analysis revealed that the vulnerability triggers when:
- A 12-bit or 16-bit JPG image (non-standard bit depths) is processed.
- The
jpeg_finish_compressfunction attempts to dereference an uninitialized pointer (compress_data_12orcompress_data_16). - The image is re-encoded, such as when saving a file or generating thumbnails (e.g., via Microsoft Photos).
Microsoft’s initial patch (version 10.0.26100.4946) addressed the issue by initializing the function pointers to a stub handler (rawtranscode_compress_output_16). However, ESET’s binary diffing confirmed that the vulnerable code path was reachable only under specific conditions, requiring:
- A host application using a vulnerable WindowsCodecs.dll version (10.0.26100.0–10.0.26100.4945).
- The ability to decode and re-encode the malicious JPG without crashing.
- Heap manipulation and an address leak for successful exploitation—significantly raising the bar for attackers.
Reproduction & Impact
ESET reproduced the crash using:
- A 12-bit JPG sample from the
libjpeg-turborepository. - Microsoft’s provided JPG re-encoding example code, which triggered the flaw when processing the image.
While the vulnerability affects Windows Imaging Component (WIC)-dependent applications, exploitation is constrained by the need for precise heap control. Notably, decoding alone does not trigger the bug—only re-encoding does. ESET also found that newer WindowsCodecs.dll versions (e.g., 10.0.22621.6133) incorporate fixes from libjpeg-turbo’s December 2024 update, mitigating the issue.
Key Takeaways
- Attack Vector: Requires a 12/16-bit JPG to be re-encoded (e.g., saving, thumbnail generation).
- Exploitability: Low likelihood due to heap manipulation requirements, aligning with Microsoft’s assessment.
- Patch Status: Fixed in later WindowsCodecs.dll versions via
libjpeg-turboupdates.
The analysis underscores the risks of third-party library vulnerabilities in core system components, even for ubiquitous formats like JPG.
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1767125131",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "11/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users of Windows systems with '
'vulnerable WindowsCodecs.dll '
'versions',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Windows',
'size': 'N/A',
'type': 'Operating System'}],
'attack_vector': 'Malicious JPG file (12-bit or 16-bit precision)',
'data_breach': {'file_types_exposed': 'JPG (12-bit or 16-bit precision)'},
'date_detected': '2025-11-20',
'date_publicly_disclosed': '2025-11-20',
'description': 'ESET researchers examined CVE-2025-50165, a critical Windows '
'vulnerability allowing remote code execution via a specially '
'crafted JPG file. The flaw stems from the dereference of an '
'uninitialized function pointer in WindowsCodecs.dll during '
'the compression/encoding of 12-bit or 16-bit JPG images. The '
'vulnerability was initially documented by Zscaler ThreatLabz, '
'and Microsoft assessed its severity as critical but deemed '
"exploitability less likely. ESET's analysis confirmed the "
'root cause and reproduced the crash.',
'impact': {'operational_impact': 'Potential crashes during JPG image '
'encoding/compression or thumbnail creation',
'systems_affected': 'Windows systems using vulnerable versions of '
'WindowsCodecs.dll (10.0.26100.0 to '
'10.0.26100.4946)'},
'investigation_status': 'Completed (Root cause identified, exploitability '
'assessed)',
'lessons_learned': 'Vulnerabilities can still exist in widely used image '
'formats like JPG, even in well-tested codecs. Third-party '
'libraries must be kept up-to-date with security patches. '
'Root cause analysis and patch diffing are effective '
'methods for understanding vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Microsoft patched the '
'vulnerability by '
'initializing the function '
'pointers in '
'WindowsCodecs.dll. '
'Libjpeg-turbo also '
'addressed similar issues in '
'version 3.1.1.',
'root_causes': 'Uninitialized function pointers '
'(compress_data_12 and '
'compress_data_16) in '
'WindowsCodecs.dll during JPG image '
'encoding/compression. The '
'vulnerability is triggered when '
'handling 12-bit or 16-bit JPG '
'images.'},
'recommendations': ['Update WindowsCodecs.dll to the patched version '
'(10.0.26100.4946 or later).',
'Ensure third-party libraries (e.g., libjpeg-turbo) are '
'updated to versions with security fixes.',
'Monitor applications that encode/re-encode JPG images '
'for crashes or anomalous behavior.',
'Implement zero-initialization of function pointers in '
'custom code to prevent similar vulnerabilities.'],
'references': [{'date_accessed': '2025-11-20',
'source': 'Zscaler ThreatLabz',
'url': 'https://www.zscaler.com/blogs/security-research/cve-2025-50165-windows-jpg-rce'},
{'source': 'Microsoft Documentation',
'url': 'https://learn.microsoft.com/en-us/windows/win32/wic/-wic-codec-jpegmetadataencoding#jpeg-re-encode-example-code'},
{'source': 'ESET Research'},
{'source': 'libjpeg-turbo GitHub Repository',
'url': 'https://github.com/libjpeg-turbo/libjpeg-turbo'}],
'response': {'containment_measures': 'Microsoft released a patch '
'(WindowsCodecs.dll version '
'10.0.26100.4946)',
'remediation_measures': 'Update to patched WindowsCodecs.dll '
'version; zero-initialization of '
'function pointers in libjpeg-turbo '
'library',
'third_party_assistance': 'ESET researchers analyzed the '
'vulnerability'},
'title': 'CVE-2025-50165: Remote Code Execution Vulnerability in '
'WindowsCodecs.dll',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-50165 (Uninitialized function pointer '
'dereference in WindowsCodecs.dll)'}