HighCISA KEVExploited in the wildPublic exploit

TrueType Font Parsing Vulnerability in Microsoft Windows win32k.sys

IdentifiersCVE-2011-3402CWE-20

CVE-2011-3402 is a remote code execution vulnerability in the TrueType font parsing engine of Microsoft Windows, specifically in win32k.sys within the kernel-mode drivers. The flaw is triggered when Windows improperly handles specially crafted TrueType font data. An attacker can deliver the malicious font through an embedded font in a Microsoft Word document or through a web page that embeds TrueType fonts. Successful exploitation results in execution of attacker-controlled code in kernel mode. The vulnerability was publicly disclosed and exploited in limited targeted attacks in the wild, including attacks associated with Duqu. Microsoft addressed the issue in MS11-087 / KB2639417 by modifying how the Windows kernel-mode driver handles TrueType font files.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in kernel mode. Because the code runs in the Windows kernel context, an attacker can effectively take full control of the affected system, including installing programs, viewing, modifying, or deleting data, and creating accounts with full administrative privileges. In practical terms, this is a full system compromise from a remote delivery vector, subject to the user opening a malicious document or visiting a malicious web page.

Mitigation

If you can’t patch tonight, do this now.

As a workaround, Microsoft provided guidance to deny access to T2EMBED.DLL to reduce exposure to web-based and file-sharing attack scenarios involving embedded fonts. This workaround does not mitigate the local attack scenario on affected Server Core installations and may break applications that rely on embedded font technology, including some PDF generation workflows in Microsoft Office. Additional exposure reduction measures include avoiding untrusted documents and restricting access to malicious web content until patching is completed.

Remediation

Patch, then assume compromise.

Apply Microsoft security update KB2639417 released in Security Bulletin MS11-087. The patch changes the way the Windows kernel-mode driver processes TrueType font files and is the vendor-provided fix for CVE-2011-3402. Organizations should prioritize patching affected legacy Windows systems, including Windows XP SP2/SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2/R2/R2 SP1, and Windows 7 Gold/SP1, as applicable in the provided content.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 7operating_system

Microsoft CorporationWindows Server 2003operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Vistaoperating_system

Microsoft CorporationWindows Xpoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

cyberthroneNews

Oct 7, 2025

CISA Adds 7 Actively Exploited Vulnerabilities to KEV Catalog

A Windows kernel (win32k.sys) TrueType font parsing remote code execution vulnerability triggered via malicious font files in documents or web pages.

microsoft technet subdomainNews

Jun 8, 2023

Microsoft Security Bulletin MS11-087 - Critical | Microsoft Learn

A critical remote code execution vulnerability in the Windows kernel-mode driver caused by improper handling of specially crafted TrueType font files.

contagiodump blogNews

May 12, 2015

contagio: An Overview of Exploit Packs (Update 25) May 2015

A specific vulnerability used by multiple exploit kits according to the table.

web archiveNews

Oct 14, 2014

Two Limited, Targeted Attacks; Two New Zero-Days | FireEye Inc

Earlier Windows TrueType Font (TTF) vulnerability referenced as a prior similar issue that was adapted by exploit kits for browser-based exploitation.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2011-3402

NVD

nvd.nist.gov/vuln/detail/CVE-2011-3402

MITRE CWE · CWE-20

cwe.mitre.org

Vendor Advisory

blogs.technet.com/b/msrc/archive/2011/11/03/microsoft-releases-security-advisory-2639658.aspx

Vendor Advisory

secunia.com/advisories/49121

Vendor Advisory

secunia.com/advisories/49122

Vendor Advisory

technet.microsoft.com/security/advisory/2639658

Vendor Advisory

docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087

Vendor Advisory

docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034

Vendor Advisory

docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039

Third Party Advisory

isc.sans.edu/diary/Duqu+Mitigation/11950

US Government Resource

us-cert.gov/cas/techalerts/TA11-347A.html

+4 more references

view more in app