ESET analyzes critical Windows JPG vulnerability CVE-2025-50165
ESET Research reveals the root cause of a critical Windows JPG flaw, explaining why remote code execution is harder to exploit than initially feared.
Editor
WISE NEWS PRESS / BRATISLAVA, SLOVAKIA — DECEMBER 27, 2025
Cybersecurity firm ESET has released a root-cause analysis of a critical Windows vulnerability, CVE-2025-50165, which involves the misuse of JPG files to achieve remote code execution (RCE).
While Microsoft previously classified the flaw as critical, ESET Research concluded that the probability of mass exploitation is low. The vulnerability resides within the Windows Imaging Component and specifically affects the way the system handles image encoding. Researchers found that simply opening or viewing a malicious image is not enough to trigger the flaw; instead, the vulnerability is activated during the compression and saving stages of image processing.
[Image showing the technical flow of the WindowsCodecs.dll vulnerability]
Vulnerability triggered during encoding, not decoding
According to ESET researcher Romain Dumont, the flaw is triggered when "WindowsCodecs.dll" attempts to encode a JPG image with 12-bit or 16-bit data precision. "While opening an image for viewing does not trigger the vulnerability, calling the jpeg_finish_compress function during a save operation or when an app like Microsoft Photos generates thumbnails can lead to a system crash or exploit execution," Dumont explained. This distinction significantly limits the attack surface for casual users.
The link to open-source libraries
The investigation revealed that the vulnerable Windows component utilizes "libjpeg-turbo," a widely used open-source library. ESET noted that similar issues were identified and patched within the libjpeg-turbo community as early as December 2024. The persistence of such flaws in the JPG format—one of the most scrutinized digital formats in existence—highlights the ongoing challenges of securing legacy codecs and managing third-party library dependencies in modern operating systems.
[Image representing the dependency chain between open-source libraries and Windows components]
Barriers to successful exploitation
For an attacker to successfully exploit CVE-2025-50165, they would require a high degree of control over the host application. ESET’s analysis suggests that a successful attack would likely need to be combined with other techniques, such as address leaks or heap manipulation, to bypass modern Windows security mitigations. ESET emphasizes that while the risk of mass exploitation is low, the research underscores the vital importance of keeping third-party libraries and OS components updated through official Microsoft security patches.
