CVE-2017-0038

MEDIUM

Windows GDI - Information Disclosure via Crafted EMF File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-0038. PoCs published by Google Security Research, k0keoyo.

AI-analyzed exploit summary The writeup describes an information disclosure vulnerability in Windows GDI (gdi32.dll) due to improper handling of DIBs in EMR_SETDIBITSTODEVICE records, allowing out-of-bounds heap memory disclosure. The PoC demonstrates how a crafted EMF file can leak uninitialized heap data via pixel colors in Internet Explorer or Office Online.

Description

gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Google Security Research · textdoswindows
https://www.exploit-db.com/exploits/41363

The writeup describes an information disclosure vulnerability in Windows GDI (gdi32.dll) due to improper handling of DIBs in EMR_SETDIBITSTODEVICE records, allowing out-of-bounds heap memory disclosure. The PoC demonstrates how a crafted EMF file can leak uninitialized heap data via pixel colors in Internet Explorer or Office Online.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows GDI (gdi32.dll) in Internet Explorer and Office Online
No auth needed
Prerequisites: Ability to deliver a crafted EMF file to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by k0keoyo · poc
https://github.com/k0keoyo/CVE-2017-0038-EXP-C-JS

The repository contains a functional C exploit for CVE-2017-0038, which involves memory corruption in Windows GDI via crafted EMF files. The PoC demonstrates the vulnerability by playing a malicious EMF file and leaking memory contents via GetPixel.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows GDI (Graphics Device Interface)
No auth needed
Prerequisites: A crafted EMF file (poc1.emf) must be present in the working directory
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Patch, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=992
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://0patch.blogspot.com/2017/02/0patching-0-day-windows-gdi32dll-memory.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037845
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96023
Various Sources x_refsource_misc
https://github.com/k0keoyo/CVE-2017-0038-EXP-C-JS
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41363/

Scores

CVSS v3 5.5
EPSS 0.8210
EPSS Percentile 99.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (13)
microsoft/windows_10
microsoft/windows_10 1511
microsoft/windows_10 1607
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 3 more
Published Feb 20, 2017
Tracked Since Feb 18, 2026