cbcvebase.
CVE-2011-5046
published 2011-12-30

CVE-2011-5046: The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.46%
98.6th percentile
The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

  • Crash originates from win32k!NtGdiDrawStream syscall — monitor or block calls to NtGdiDrawStream with anomalous/large stream parameters from browser renderer processes
  • Exploit is triggered via a crafted IFRAME element with a large height attribute rendered by Apple Safari on Windows — inspect HTTP responses containing IFRAME tags with abnormally large height values
  • Call chain passes through win32k!EngDrawStream and win32k!NtGdiDrawStreamInternal before the fault — kernel crash (BSoD) via PAGE_FAULT_IN_NONPAGED_AREA (0x50) is the observable symptom
  • Fault occurs inside win32k!memmove called from win32k!NtGdiUpdateTransform — memory corruption in win32k.sys GDI path is the root cause; kernel crash bugcheck 0x50 (PAGE_FAULT_IN_NONPAGED_AREA) is the DoS indicator
  • ·Exploit was demonstrated specifically against Apple Safari on Windows 7 x64; other browsers may not trigger the vulnerable GdiDrawStream code path in the same way
  • ·Vulnerability affects a wide range of Windows versions (XP SP2/SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2/R2/R2 SP1, Windows 7 Gold/SP1) — detection and patching scope must cover all listed platforms
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.