cbcvebase.
CVE-2015-6103
published 2015-11-11

CVE-2015-6103: The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.29%
98.2th percentile
The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Windows Graphics Memory Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-6104.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip
processwin32k.sys
commandwin32k!NtGdiGetTextExtentExW
commandwin32k!GreRemoveFontMemResourceEx
  • Crash/exploitation occurs during processing of a TTF font file with a malformed 'OS/2' table in win32k.sys; monitor for kernel pool corruption (PAGE_FAULT_IN_NONPAGED_AREA / bugcheck 0x50) originating from win32k!memmove within the font rendering call stack.
  • Enable Special Pools for win32k.sys to reliably trigger an immediate crash on exploitation attempt, aiding in detection and forensic analysis.
  • The vulnerability is triggered via crafted embedded TTF fonts; inspect documents or web content loading fonts through the Adobe Type Manager Library or GDI font rendering path (NtGdiGetTextExtentExW syscall).
  • ·Reproduction of the crash may require a custom program that displays all font glyphs at various point sizes; passive loading alone may not trigger the vulnerability.
  • ·Pool corruption may cause delayed or non-deterministic system crashes on default Windows installations, making reliable detection harder without Special Pools enabled.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.