ESET researchers have examined CVE-2025-50165, a serious Windows vulnerability that theoretically grants remote code execution by opening a specially crafted JPG file – one of the most widely used image formats. ESET’s root cause analysis pinpoints the exact location of the faulty code and reproduces the crash. However, ESET Research believes that the exploitation scenario is harder than it appears to be. The flaw was found and documented by Zscaler ThreatLabz and has already been patched by Microsoft, in August.
“WindowsCodecs.dll crashes when attempting to encode a JPG image with 12-bit or 16-bit data precision. Although Microsoft has classified this vulnerability as critical, our in-depth analysis indicates that large-scale exploitation is highly improbable,“ says ESET researcher Romain Dumont, who investigated the vulnerability. “Simply opening, and therefore decoding and rendering, a specially crafted image will not trigger the vulnerability. However, the vulnerable function jpeg_finish_compress could be called if the image is saved or if a host application, such as the Microsoft Photos application, creates thumbnails of images,” explains Dumont.
CVE-2025-50165 is a flaw in the encoding and compressing process of a JPG image, not in its decoding. ESET provides both its own method to reproduce the crash using a simple 12-bit or 16-bit JPG image, and an examination of the initial released patch. Furthermore, the investigation revealed that the vulnerable component uses the open-source library libjpeg-turbo, in which similar issues were found and resolved in December 2024.
Although JPG is older, widely used, and perhaps the most popular digital image format in automated software testing, vulnerabilities can still be found in some codecs. This ESET Research study of CVE-2025-50165 also highlights the importance of keeping up with security updates when using third-party libraries. As WindowsCodecs.dll is a library, a host application would be considered vulnerable if it allows JPG images to be (re-)encoded, and exploitable only if an attacker has enough control over the application (address leak, heap manipulation).
