cbcvebase.
CVE-2015-2461
published 2015-08-15

CVE-2015-2461: ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.37%
98.3th percentile
ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2459.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37917.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42243.zip
filenameATMFD.DLL
  • The exploit is triggered via font loading through win32k!NtGdiAddFontResourceW — monitor kernel call stacks involving win32k!NtGdiAddFontResourceW → win32k!GreAddFontResourceWInternal → win32k!PUBLIC_PFTOBJ::bLoadFonts → ATMFD.DLL for anomalous OTF font files.
  • The malicious CFF font file can be crafted with a single byte change at offset 0x375 (offset 0x71 within the 'CFF ' table) from 0x01 to 0x41 — inspect loaded OTF/CFF font files for anomalous Name INDEX offset values that exceed the bounds of the Name INDEX data block.
  • The vulnerability is exploitable via the Windows Font Viewer or any application that loads fonts — no special tools required; monitor for unexpected font loading (NtGdiAddFontResourceW) from untrusted or web-sourced OTF files in csrss.exe context.
  • The root cause is missing bounds checking on NAME.offset[x] in the CFF Name INDEX parser of ATMFD.DLL — the expression 'base address of the Name INDEX data + NAME.offset[x] - 1' is dereferenced without validation, enabling out-of-bounds read.
  • ·The crash is most reliably reproduced with Special Pools enabled for ATMFD.DLL; on default Windows installations the crash may still occur but is harder to observe immediately.
  • ·The patch for CVE-2015-2461 (MS15-080) may have been insufficient — an almost identical crash was reproduced nearly two years after the original fix, suggesting incomplete remediation.
  • ·Impact is assessed as out-of-bounds read only (remote DoS or local kernel memory disclosure), but more severe exploitation via unknown ATMFD logic cannot be fully ruled out.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.