An exploit has been released for a vulnerability in .themes that was patched in the September 2023 Patch Tuesday update.
Summary
ThemeBleed exploit is a new vulnerability in Windows Themes that allows remote code execution (RCE).
The vulnerability was discovered by Gabe Kirkpatrick and assigned the CVE identifier CVE-2023-38146.
It is a race condition vulnerability that can be triggered by opening a specially crafted .theme file.
Microsoft has released a patch for the vulnerability in the September 2023 Patch Tuesday updates.
However, the patch does not fix the more fundamental problem in the verification procedure of .msstyles files, nor does it add MOTW warnings to .themepack files.
The researcher notes that the vulnerability appears to be only present in Windows 11.