Summary

• ThemeBleed exploit is a new vulnerability in Windows Themes that allows remote code execution (RCE).

• The vulnerability was discovered by Gabe Kirkpatrick and assigned the CVE identifier CVE-2023-38146.

• It is a race condition vulnerability that can be triggered by opening a specially crafted .theme file.

• Microsoft has released a patch for the vulnerability in the September 2023 Patch Tuesday updates.

• However, the patch does not fix the more fundamental problem in the verification procedure of .msstyles files, nor does it add MOTW warnings to .themepack files.

• The researcher notes that the vulnerability appears to be only present in Windows 11.