cbcvebase.
CVE-2017-8682
published 2017-09-13

CVE-2017-8682: Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold…

PriorityP271high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
49.77%
98.8th percentile
Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, Windows Server 2016, Microsoft Office Word Viewer, Microsoft Office 2007 Service Pack 3 , and Microsoft Office 2010 Service Pack 2 allows an attacker to execute remote code by the way it handles embedded fonts, aka "Win32k Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-8683.

Affected

21 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_graphics
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_word_viewer
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42744.zip
filenamewin32k.sys
  • Monitor calls to the GetGlyphOutline() API iterating over all glyphs of a font, particularly when processing TTF files with a malformed 'fpgm' table — this is the trigger mechanism for the vulnerability.
  • Look for kernel crashes (PAGE_FAULT_IN_NONPAGED_AREA / bugcheck 0x50) in win32k.sys at functions bGeneratePath, PATHOBJ_bCloseFigure, vQsplineToPolyBezier, or EngDeleteRgn when processing embedded fonts — these are crash signatures of CVE-2017-8682 exploitation.
  • Inspect TTF font files (especially embedded in documents or web pages) for a modified 'fpgm' table where an instruction has been changed to 'FLIPPT' — this is the specific mutation that triggers the out-of-bounds read/write.
  • Detect web-based delivery: monitor for user navigation to attacker-controlled sites hosting specially crafted embedded fonts, or email/IM lures directing users to such sites, as these are the primary attack vectors for CVE-2017-8682.
  • Detect file-sharing delivery: monitor for document files containing embedded fonts opened by users, as this is a secondary attack vector for CVE-2017-8682.
  • The crash in win32k!vQsplineToPolyBezier+83 (write operation) indicates potential memory corruption leading to arbitrary code execution — treat any such kernel crash during font processing as a high-severity indicator.
  • ·Reproduction requires a custom program calling GetGlyphOutline() across all glyphs; passive file-drop alone may not trigger the vulnerability without this API interaction.
  • ·The researcher confirmed reproduction only on Windows 7 at time of disclosure; other platforms were not verified.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.