cbcvebase.
CVE-2019-1118
published 2019-07-15

CVE-2019-1118: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.67%
97.5th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

filenamedo_blend_cube.otf
filenamedo_set_weight_vector_cube.otf
  • Trigger path: malicious OpenType variable font embedded in a webpage, triggered when the user prints from Microsoft Edge (to PDF, XPS, or physical/virtual printer), reaching dwrite!AdobeCFF2Snapshot via d2d1!dxc::TextConvertor::InstanceFontResources → dwrite!DWriteFactory::CreateInstancedStream / dwrite!DWriteFontFace::CreateInstancedStream → FontInstancer class methods.
  • The vulnerability is triggered by invoking do_blend_cube() or do_set_weight_vector_cube() in a CharString (e.g. for glyph 'A') without a preceding tx_compose instruction, causing cubeStackDepth to remain at -1 and resulting in an out-of-bounds access into cube[-1] / stack.blendArgs[92].
  • Stack corruption occurs in t2cstr.c:1057 (do_blend_cube) and t2cstr.c:992 (do_set_weight_vector_cube) when cubeStackDepth is -1, causing h->cube[-1] to overlap with _t2cCtx.stack.blendArgs[92] — potentially user-controlled stack memory.
  • Monitor for calls to dwrite!AdobeCFF2Snapshot and dwrite!DWriteFactory::CreateInstancedStream / dwrite!DWriteFontFace::CreateInstancedStream during font rendering in Edge or Direct2D printing contexts as an indicator of variable font instancing code being exercised.
  • ·Exploitation requires the user to actively trigger Direct2D printing (e.g. print-to-PDF/XPS) from Microsoft Edge while viewing a page with a malicious embedded OpenType variable font; passive browsing alone is insufficient.
  • ·Microsoft assessed exploitation as 'Less Likely' for both latest and older software releases at time of disclosure; the vulnerability was publicly disclosed but not observed exploited in the wild.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.