Windows GDI Vulnerability in Rust Kernel Module Enables Remote Attacks

A newly discovered flaw in Microsoft’s Rust-based Graphics Device Interface (GDI) kernel component allows unprivileged attackers to crash or take control of Windows systems.

Check Point Research (CPR) uncovered the issue in January 2025 and reported it to Microsoft. The company addressed the bug in the May 28, 2025 KB5058499 preview update (OS Build 26100.4202), with full rollout by late June.

Metafile Fuzzing Uncovers Kernel Panic

CPR’s investigation began with a fuzzing campaign focused on Windows metafiles. Fuzzing injects random or malformed data into software to discover weaknesses.

The team used WinAFL Pet to manage mid-scale fuzzing jobs and BugId to analyze crashes. They targeted Enhanced Metafile Format (EMF) and its EMF+ variant, which embed drawing instructions for GDI functions.

Initial tests produced user-space crashes and memory leaks, but after a week, the test machines unexpectedly rebooted due to a kernel BugCheck.