cbcvebase.
CVE-2019-1122
published 2019-07-15

CVE-2019-1122: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.94%
96.7th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

pathafdko/c/public/lib/source/cffread/cffread.c
filenamepoc.otf
command./tx -cff poc.otf
  • The vulnerability is triggered via the Direct2D printing interface in Microsoft Edge; monitor for Edge processes initiating print operations (to PDF, XPS, or physical/virtual printers) that load OpenType variable fonts, as this invokes dwrite!AdobeCFF2Snapshot via FontInstancer.
  • Look for call stacks involving dwrite!AdobeCFF2Snapshot → FontInstancer → dwrite!DWriteFontFace::CreateInstancedStream or dwrite!DWriteFactory::CreateInstancedStream → d2d1!dxc::TextConvertor::InstanceFontResources as indicators of exploitation attempt.
  • Detect specially crafted OTF files that contain both a valid CFF2 table and a malformed/extra CFF table; the malicious CFF table takes precedence over CFF2 in AFDKO's srcOpen() logic and triggers the heap buffer overflow in readStrings().
  • ·The integer overflow in readStrings() (cffread.c:1738) is only exploitable on platforms where 'long' is a 32-bit type, limiting the attack surface to Windows x86/x64 and Linux x86 builds.
  • ·The CreateInstancedStream method is not a public COM interface; the known reachable attack path is exclusively through d2d1!dxc::TextConvertor::InstanceFontResources (e.g., Edge printing). Other attack vectors may exist but are unconfirmed.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.