ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files
Created: 2025-12-24 04:06:15
- CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding.
- ESET researchers offer a deep dive analysis of the CVE 2025 50165 vulnerability and provide their method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch.
- ESET research concludes that this vulnerability has a low likelihood of mass exploitation.
MONTREAL, BRATISLAVA — December 22, 2025 — ESET researchers have examined CVE-2025-50165, a serious Windows vulnerability that theoretically grants remote code execution by opening a specially crafted JPG file – one of the most widely used image formats. ESET’s root cause analysis pinpoints the exact location of the faulty code and reproduces the crash. However, ESET Research believes that the exploitation scenario is harder than it appears to be. The flaw was found and documented by Zscaler ThreatLabz and has already been patched by Microsoft, in August.
“WindowsCodecs.dll crashes when attempting to encode a JPG image with 12-bit or 16-bit data precision. Although Microsoft has classified this vulnerability as critical, our in-depth analysis indicates that large-scale exploitation is highly improbable,“ says ESET researcher Romain Dumont, who investigated the vulnerability. “Simply opening, and therefore decoding and rendering, a specially crafted image will not trigger the vulnerability. However, the vulnerable function jpeg_finish_compress could be called if the image is saved or if a host application, such as the Microsoft Photos application, creates thumbnails of images,” explains Dumont.
CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding. ESET provides both its own method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch. Furthermore, the investigation revealed that the vulnerable component uses the open-source library libjpeg-turbo, in which similar issues were found and resolved in December 2024.
Although JPG is older, widely used, and perhaps the most popular digital image format in automated software testing, vulnerabilities can still be found in some codecs. This ESET Research study of CVE-2025-50165 also highlights the importance of keeping up with security updates when using third-party libraries. As WindowsCodecs.dll is a library, a host application would be considered vulnerable if it allows JPG images to be (re-)encoded, and exploitable only if an attacker has enough control over the application (address leak, heap manipulation).
For a more detailed analysis of the CVE 2025 50165 vulnerability, check out the latest ESET Research blogpost “Revisiting CVE-2025-50165: A critical flaw in Windows Imaging Component” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.
7
Join ESET at Facebook