CVE-2015-2426
published 2015-07-20CVE-2015-2426: Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1…
PriorityP192high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
86.69%
99.7th percentile
Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Driver Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for hidden spawning of notepad.exe from a Meterpreter/non-interactive session context — the exploit launches notepad.exe as a hidden process to host reflective DLL injection. ↗
- →Detect reflective DLL injection of a file named reflective_dll.x64.dll dropped under a path containing 'CVE-2015-2426'. ↗
- →The exploit targets atmfd.dll (Windows Adobe Type Manager Library) via a pool-based buffer overflow triggered by parsing a malformed OpenType font; alert on unusual kernel pool activity or crashes in atmfd.dll. ↗
- →The exploit uses ROP gadgets within win32k.sys and ntoskrnl.exe; monitor for unexpected cross-process memory writes into win32k.sys or ntoskrnl.exe address space from user-mode processes. ↗
- ·The Metasploit module only supports Windows 8.1 x64 and specific win32k.sys/ntoskrnl.exe build versions (6.3.9600.17415, 17630, 17668, 17694, 17796, 17837, 17915, 17936); exploitation against other builds will fail version checks. ↗
- ·The module requires an existing Meterpreter session and will abort if the session is already SYSTEM or if running under WOW64. ↗
- ·ROP chain offsets are hardcoded per specific win32k.sys and ntoskrnl.exe build versions; if the target build is not in the supported list, the module returns CheckCode::Detected or CheckCode::Unknown and will not proceed. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows Vista SP2 up to Server 2012 R2 Adobe Type Manager Library atmfd.dll memory corruption (MS15-078 / VU#103336)
vuldb·2026-04-22·CVSS 8.8
CVE-2015-2426 [HIGH] Microsoft Windows Vista SP2 up to Server 2012 R2 Adobe Type Manager Library atmfd.dll memory corruption (MS15-078 / VU#103336)
A vulnerability was found in Microsoft Windows Vista SP2 up to Server 2012 R2. It has been rated as critical. This affects an unknown function in the library atmfd.dll of the component Adobe Type Manager Library. Performing a manipulation results in memory corruption.
This vulnerability is known as CVE-2015-2426. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
To fix this issue, it is recommended to deploy a patch.
GHSA
GHSA-7w6v-23gr-722w: Buffer underflow in atmfd
ghsa_unreviewed·2022-05-14
CVE-2015-2426 [HIGH] CWE-119 GHSA-7w6v-23gr-722w: Buffer underflow in atmfd
Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Driver Vulnerability."
Project0
A year of Windows kernel font fuzzing #1: the results - Project Zero
project_zero·2016-06-01
CVE-2015-2387 A year of Windows kernel font fuzzing #1: the results - Project Zero
Posted by Mateusz Jurczyk of Google Project Zero
This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part #1 here, we present a general overview of the font security area, followed by a high-level explanation of the fuzzing effort we have undertaken, including the overall results and case studies of two bug collisions. In the upcoming part #2, we will share the specific technical details of the project, and how we tried to optimize each part of the process to the maximum extent, and go beyond the current state of the art in Windows kernel font fuzzing. Read on!
##
Background
To most readers of this blog, the fact that fonts are a very si
VulnCheck
Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
vulncheck·2015·CVSS 8.8
CVE-2015-2426 [HIGH] CWE-119 Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.trendmicro.com/en_us/research/15/g/hacking-team-leak-uncovers-another-windows-zero-day-ms-releases-patch.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf; https://blog.talosintelligence.com/content/fil
CISA
Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
cisa·2022-03-28·CVSS 8.8
CVE-2015-2426 [HIGH] CWE-119 Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability
Affected: Microsoft Windows
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-2426
Remediation Due Date: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)
exploitdb·2015-09-17
CVE-2015-2433 Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)
Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
'Description' => %q{
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
a malformed font. The vulnerability was exploited by the hacking team and disclosed on
the july data leak. This module has been tested successfully on vulnerable builds of
Windows 8.1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Eugene Ching', # vulnerability discovery and exploit
'Mateusz Jurczyk', # vu
Metasploit
MS15-078 Microsoft Windows Font Driver Buffer Overflow
metasploit
MS15-078 Microsoft Windows Font Driver Buffer Overflow
MS15-078 Microsoft Windows Font Driver Buffer Overflow
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed in the July data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64.
http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/http://www.kb.cert.org/vuls/id/103336http://www.securityfocus.com/bid/75951http://www.securitytracker.com/id/1032991https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-078https://www.exploit-db.com/exploits/38222/http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/http://www.kb.cert.org/vuls/id/103336http://www.securityfocus.com/bid/75951http://www.securitytracker.com/id/1032991https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-078https://www.exploit-db.com/exploits/38222/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2426
2015-07-20
Published
2022-03-28
Added to CISA KEV
Exploited in the wild