cbcvebase.
CVE-2016-3393
published 2016-10-14

CVE-2016-3393: Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012…

PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
68.68%
99.3th percentile
Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Graphics Component RCE Vulnerability."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

processfontdrvhost.exe
  • The exploit is delivered as a specially crafted TTF font file loaded directly into memory via AddFontMemResourceEx — monitor for unusual in-memory font loading via this API, especially from non-standard processes.
  • The vulnerability is triggered in win32k!cjComputeGLYPHSET_MSFT_GENERAL — monitor for crashes or anomalous behavior in Win32k.sys related to cmap table parsing.
  • Post-exploitation involves spawning PowerShell with a meterpreter-style C2 script — hunt for PowerShell processes spawned with elevated privileges following browser or font-related activity.
  • The EoP module runs entirely in memory without touching disk — standard file-based detection will miss it; focus on behavioral/memory scanning.
  • ·Full technical details of the vulnerability were intentionally withheld by Kaspersky Lab to prevent additional threat actors from weaponizing the exploit.
  • ·On Windows 10, font processing occurs in a sandboxed user-mode process (fontdrvhost.exe) with restricted privileges, which limits but does not eliminate the impact of this vulnerability.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.