🟢 CVE-2011-3402

CVE-2011-3402 is a TrueType font parsing vulnerability in Windows kernel-mode drivers that was exploited by the Duqu malware. The vulnerability requires user interaction to open a malicious Word document or visit a compromised web page containing crafted font data.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2011-11-04

Added to CISA KEV: 2025-10-06 5085 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2011-3402 is a critical vulnerability in the TrueType font parsing engine of the Windows kernel (`win32k.sys`) that gained significant notoriety in late 2011. Below is a summary of the requested information.

Overview and Impact
  • Vulnerability Type: A kernel-mode vulnerability in the TrueType font parsing engine?Name=Exploit%3AWin32%2FCVE-2011-3402?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware.
  • Impact: Successful exploitation allows an attacker to execute arbitrary code with kernel-mode privileges?Name=Exploit%3AWin32%2FCVE-2011-3402?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware. This grants the attacker full control over the system, including the ability to install programs, modify or delete data, and create new accounts with administrative rights?query=Exploit:Win32/CVE&page=6?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware.
Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability was famously exploited in the wild in November 2011 as a zero-day by the Duqu threat actor?id=CVE-2011-3402?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware [4].
  • Attack Method: Exploitation is triggered by processing specially crafted font data. This can be delivered remotely via malicious web pages or embedded within documents (such as Microsoft Word files) that the user is induced to open?id=CVE-2011-3402?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware [2].
  • User Interaction: The attack typically requires user interaction, such as visiting a compromised website or opening a malicious document?id=CVE-2011-3402?kagi_q=CVE-2011-3402+details+exploitation+threat+actor+ransomware.
  • Evolution: Following its initial use by the sophisticated Duqu actor, the exploit code (and the specific font file used) was later incorporated into various crimeware exploit kits to target a wider population [1].
Ransomware and Proof-of-Concept
  • Ransomware: While the exploit was used by advanced persistent threat (APT) actors and later by general crimeware kits, it is not primarily categorized as a "ransomware" vulnerability, though it could theoretically be used as an initial access or privilege escalation vector for any malware, including ransomware.
  • Availability: Proof-of-concept exploits and the malicious font files have been publicly analyzed and are available in security research contexts [1] [5].
Affected Products and Mitigation
  • Affected Versions: The vulnerability affected a wide range of older Windows operating systems, including Windows XP (SP2/SP3), Windows Server 2003 (SP2), Windows Vista (SP2), Windows Server 2008 (SP2, R2, R2 SP1), and Windows 7 (Gold and SP1) [3].
  • Status: Microsoft addressed this vulnerability in 2011. Systems running these legacy versions of Windows should be fully patched or, more appropriately, upgraded to modern, supported operating systems, as these versions are long past their end-of-life support dates.

Sources

  1. CVE-2011-3402 Technical Analysis - media.ccc.de

    CVE-2011-3402 is well known as the Windows Kernel TrueType [Font] 0-day used in the "Duqu" attack(s). Recently this exploit has begun to ... CVE-2011-3402 is well known as the Windows Kernel TrueType [Font] 0-day used in the "Duqu" attack(s). Recently this exploit has begun to appear in several crim…

  2. CVE-2011-3402 | High Vulnerability in Microsoft Windows

    Attackers can exploit this vulnerability to execute arbitrary code by leveraging crafted font data present in Word documents or web pages. This ...

  3. NVD - CVE-2011-3402

    An official website of the United States government Here's how you know ... Description. Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, ... CVE-2011-3402 Detail. Deferred.Unspecified vulnerability in the Tru…

  4. Unspecified vulnerability in the TrueType font parsing... · CVE-2011 ...

    Exploit Prediction Scoring System (EPSS). This score estimates the probability of this vulnerability being exploited within the next 30 days. ... crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."Attack vect…

  5. CVE-2011-3402 - Exploits & Severity - Feedly

    Oct 9, 2023 at 9:06 PM Threat Intelligence Report The vulnerability CVE-2011-3402 affects the TrueType font parsing engine in win32k and is exploited in the wild by Duqu. It has a criticality level, with proof-of-concept exploits available.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed