cbcvebase.
CVE-2015-6104
published 2015-11-11

CVE-2015-6104: The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.29%
98.2th percentile
The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Windows Graphics Memory Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-6103.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38713.zip
processwin32k.sys
  • Monitor for kernel pool-based buffer overflow crashes (DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION / bugcheck 0xD6) in win32k.sys, specifically in functions or_all_4_wide_rotated_need_last, or_all_N_wide_rotated_need_last, or_all_N_wide_rotated_no_last, or or_all_N_wide_unrotated — triggered during TTF glyph rendering via EngTextOut.
  • The crash is triggered during glyph display (EngTextOut call path), not during font loading — detection should focus on rendering-time kernel crashes rather than font-load events.
  • Malicious TTF files exploit crafted/replaced glyph TrueType programs (not the font metadata). Inspect embedded TTF fonts for anomalous or machine-generated TrueType glyph programs as an indicator of weaponized samples.
  • Enable Special Pools for win32k.sys in test/sandbox environments to force an immediate, deterministic crash on exploitation attempt, aiding in reliable detection of CVE-2015-6104 exploit attempts.
  • The vulnerability is triggered via a crafted embedded font delivered to a remote target — inspect documents and web content for embedded TTF fonts with unusual or oversized glyph program bytecode sections.
  • ·Proof-of-concept TTF samples require a custom display program that renders all glyphs at various point sizes to trigger the overflow; simply loading the font is insufficient to reproduce the crash.
  • ·This CVE (CVE-2015-6104) is a distinct vulnerability from CVE-2015-6103 despite both being described as 'Windows Graphics Memory Remote Code Execution Vulnerability' in the same advisory (MS15-115).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.