cbcvebase.
CVE-2011-3402
published 2011-11-04

CVE-2011-3402: Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003…

PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
78.29%
99.5th percentile
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

hash574313E41F8FB121DF94BD0C20E4EB14
snort
GID 3, SID 20539
  • CVE-2011-3402 is exploited via crafted TrueType font data embedded in a Word document or web page, targeting win32k.sys in the Windows kernel-mode driver.
  • Monitor for unusual outbound network connections, unexpected system driver modifications, and kernel-level code loading as indicators of Duqu activity exploiting this CVE.
  • Duqu uses spearphishing emails with malicious attachments as the primary delivery vector for this exploit.
  • ·The Snort rule SID 20539 (GID 3) was released by Sourcefire within 48 hours of the advisory; verify it is still current in your ruleset as it may have been superseded.
  • ·The Styx exploit kit infrastructure used this CVE alongside Java exploits; the malicious domain styx-crypt[dot]com was the public-facing marketing site for the kit operators.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.