Microsoft Patches Out-of-Bounds Read Information Disclosure in Windows GDI Bitmap Parsing (CVE-2026-25181)
Microsoft has released a security update addressing CVE-2026-25181, an out-of-bounds read information disclosure vulnerability in Windows GDI bitmap parsing that could leak sensitive memory.
Microsoft has released a security update to address CVE-2026-25181, an out-of-bounds read information disclosure vulnerability in the Windows Graphics Device Interface (GDI) bitmap parsing component. The flaw, disclosed by the Zero Day Initiative (ZDI) as ZDI-26-185, allows a remote attacker to leak sensitive memory contents by supplying a specially crafted bitmap header to an affected system.
The vulnerability resides in how Windows GDI parses bitmap images. Specifically, crafted data in a bitmap header can trigger a read past the end of an allocated buffer, potentially exposing memory that may contain sensitive information. While the CVSS score is relatively low at 3.3, the flaw requires user interaction with the GDI library, meaning an attacker must convince a user to open a malicious file or visit a compromised website that triggers the parsing.
Although the vulnerability is classified as an information disclosure, the ZDI advisory notes that an attacker could leverage this issue in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. This makes the flaw more concerning than its standalone CVSS score suggests, as it could serve as a stepping stone in a multi-stage attack chain.
Microsoft has issued a security update to correct the vulnerability. Users are advised to apply the latest Windows update as soon as possible to mitigate the risk. The update is available through the Microsoft Security Response Center (MSRC) update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25181.
The vulnerability was reported to Microsoft on December 2, 2025, by an anonymous researcher, and the coordinated public release of the advisory occurred on March 10, 2026. This timeline reflects a standard responsible disclosure process, allowing Microsoft time to develop and test the patch before public details emerged.
This advisory is part of a broader pattern of memory safety issues in Windows components. While the GDI library has seen numerous vulnerabilities over the years, each patch reduces the attack surface for both targeted and opportunistic attackers. Organizations should prioritize applying the update as part of their regular patch management cycle, particularly for systems that handle untrusted image files or are exposed to web-based threats.