cbcvebase.
CVE-2019-1127
published 2019-07-15

CVE-2019-1127: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
20.63%
97.2th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1128.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.otf
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47088.zip
  • Monitor calls to DWrite!AdobeCFF2Snapshot → DWrite!FontInstancer::InstanceCffTable → DWrite!FontInstancer::CreateInstanceInternal → DWrite!DWriteFontFace::CreateInstancedStream in the Edge renderer process; this call chain is the execution path for the vulnerability.
  • The vulnerability is triggered when Microsoft Edge renders a page with an embedded OpenType variable font and the user initiates printing (to PDF, XPS, or a physical/virtual printer); detection should focus on print operations involving variable OTF fonts in Edge.
  • The crash/exploit path goes through d2d1!dxc::TextConvertor::InstanceFontResources and d2d1!dxc::CXpsPrintControl::Close in the Edge renderer; access violations in DWrite!do_set_weight_vector_cube from this call stack are a strong indicator of exploitation.
  • An access violation (code c0000005) in DWrite!do_set_weight_vector_cube+0x16a during Edge renderer activity is a direct crash signature for this CVE; look for this exception in crash telemetry or WER reports.
  • The malicious font exploits the tx_SETWVN instruction with a negative nAxes value (e.g. -100000); OpenType variable fonts (.otf) containing a tx_SETWVN opcode with a negative operand should be flagged for analysis.
  • ·The exploit path via CreateInstancedStream is only reachable through the Direct2D printing interface; the vulnerability requires a user to actively print a page containing the malicious variable font — passive browsing alone does not trigger it.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.