CVE-2023-38146

HIGH

Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-38146. PoCs published by exploits-forsale, Jnnshschl, Durge5, including Metasploit module exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2023-38146 (ThemeBleed), which leverages a vulnerability in Windows theme files to achieve remote code execution. The PoC includes a server component and tools to generate malicious .theme and .themepack files, along with staged payloads to bypass signature checks.

Description

Windows Themes Remote Code Execution Vulnerability

Exploits (4)

nomisec WORKING POC 202 stars
by exploits-forsale · poc
https://github.com/exploits-forsale/themebleed

This repository contains a functional proof-of-concept exploit for CVE-2023-38146 (ThemeBleed), which leverages a vulnerability in Windows theme files to achieve remote code execution. The PoC includes a server component and tools to generate malicious .theme and .themepack files, along with staged payloads to bypass signature checks.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (specific versions affected by CVE-2023-38146)
No auth needed
Prerequisites: Victim must open a malicious .theme or .themepack file · Attacker must host a server to serve staged payloads
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 24 stars
by Jnnshschl · poc
https://github.com/Jnnshschl/CVE-2023-38146

This repository contains a functional exploit for CVE-2023-38146 (ThemeBleed), which leverages a vulnerability in Windows 11 theme files to achieve remote code execution. The exploit includes a Python-based SMB server that dynamically replaces a legitimate DLL with a malicious one, and a C++ reverse shell template for payload delivery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows 11 (Theme Service)
No auth needed
Prerequisites: Network access to target · Victim interaction to apply malicious theme file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Durge5 · poc
https://github.com/Durge5/ThemeBleedPy

This repository contains a Python-based proof-of-concept exploit for CVE-2023-38146 (ThemeBleed), which leverages unsafe DLL loading in Windows theme files. The exploit uses an SMB server to serve malicious files, leading to remote code execution when a vulnerable system processes a crafted .theme file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows 11 (specific versions affected by CVE-2023-38146)
No auth needed
Prerequisites: Vulnerable Windows 11 system · Network access to target · Crafted .theme file with malicious SMB server reference
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by gabe_k, bwatters-r7, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb

This Metasploit module exploits CVE-2023-38146, a TOCTOU vulnerability in Windows 11 theme handling, by serving a malicious DLL via SMB when a theme file references an msstyles file with PACKME_VERSION set to 999.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows 11 (unpatched)
No auth needed
Prerequisites: Valid signed .msstyles file · SMB server control · Victim interaction to load theme
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.3923
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-367
Status published
Products (2)
microsoft/windows_11_21h2 < 10.0.22000.2416
microsoft/windows_11_22h2 < 10.0.22621.2275
Published Sep 12, 2023
Tracked Since Feb 18, 2026