Microsoft Graphics Component Remote Code Execution Vulnerability
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
MSRC compact vulnerability detail
CVE-2025-60724 · GDI+ Remote Code Execution Vulnerability
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
Signals
Microsoft Graphics Component
Remote Code Execution
Exploited: No
Publicly disclosed: No
Exploitability: Exploitation Less Likely
CWE
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Description
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
FAQ / Articles
FAQ
Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.
FAQ
According to the CVSS metric, the attack vector is network (AV:N). How could an attacker exploit the vulnerability? An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk.
FAQ
According to the CVSS metric, the privilege required is none (PR:N) and user interaction is none (UI:N). What does that mean for this vulnerability? An attacker doesn't require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause Remote Code Execution or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.