ESET Deep Dive Reveals CVE-2025-50165 Exploitation Harder Than Initially Described
ESET researchers have analyzed CVE-2025-50165, a critical Windows Imaging Component RCE flaw, concluding that exploitation is more difficult than Microsoft's initial assessment suggested.
ESET researchers have published a detailed root cause analysis of CVE-2025-50165, a critical remote code execution vulnerability in the vulnerability in the Windows Imaging Component (WindowsCodecs.dll) that Microsoft rated as critical but less likely to be exploited. The flaw, originally discovered by Zscaler ThreatLabz, involves an uninitialized function pointer in the jpeg_finish_compress function that can be triggered when a specially crafted 12-bit or 16-bit JPG image is processed. ESET's analysis confirms the crash is reproducible but assesses the exploitation is harder than initially described.
The vulnerability resides in WindowsCodecs.dll versions from 10.0.26100.0 up to (but not including) 10.0.26100.4946. ESET examined the vulnerable version 10.0.26100.4768 and performed a binary comparison with the patched version. The DLL relies on libjpeg-turbo version 3.0.2 (build 20250529), a library released in January 2024. The crash occurs at jpeg_finish_compress+0xCC when dereferencing a function pointer named compress_data_12, which is only reachable when the data_precision member of jpeg_compress_struct is set to 12—meaning the JPG image uses 12-bit color depth.
Using Diaphora, a binary diffing tool, ESET compared the vulnerable and patched versions of WindowsCodecs.dll. The crashing function jpeg_finish_compress itself was not modified in the patch. Instead, two encoding-related functions were changed: rawtransencode_master_selection and jinit_c_rawtranscode_coef_controller_turbo. In the patched version, the previously uninitialized structure member compress_data_12 is now set to point to a function named rawtranscode_compress_output_16. Notably, the field compress_data_16, also uninitialized in the vulnerable version, is similarly set to the same stub function, indicating there is no specific code to handle 12-bit or 16-bit precision JPG images.
ESET reproduced the crash by compiling a code snippet from Microsoft's documentation that creates a WIC bitmap with 12-bit precision and then encodes it as a JPG. The crash occurs because the compress_data_12 function pointer is never initialized during the encoding path for 12-bit images. The patch simply assigns a stub function that calls the standard 8-bit compression routine, effectively treating 12-bit and 16-bit images as 8-bit during encoding. This means the vulnerability is not exploitable through normal image viewing—it requires a specific application to re-encode a crafted 12-bit JPG.
Microsoft's advisory described the flaw as 'less likely' to be exploited, and ESET's analysis supports this assessment. The vulnerable code path is only triggered when an application explicitly encodes a JPG image with 12-bit precision, which is rare in typical user workflows. Most image viewers and browsers decode images rather than re-encode them. However, the flaw remains critical because if an attacker can trick an application into re-encoding a malicious 12-bit JPG, they could achieve remote code execution in the context of the calling process.
The patch was released by Microsoft on December 10, 2025, as part of the monthly security update. ESET recommends that all Windows users apply the update promptly, even though exploitation is considered difficult. The analysis highlights the importance of thorough root cause analysis in assessing vulnerability severity, as initial assessments can sometimes overstate or understate the real-world risk. ESET's work also underscores the value of binary diffing tools in understanding how patches address vulnerabilities, especially when the fix is not in the function where the crash occurs.