CVE-2011-3402
Published: 04 November 2011
Summary
CVE-2011-3402 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability CVE-2011-3402 is an unspecified flaw in the TrueType font parsing engine in win32k.sys within the kernel-mode drivers. It affects Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1.
Remote attackers can exploit the issue by supplying crafted font data in a Word document or web page, resulting in arbitrary code execution. The vulnerability carries a CVSS score of 8.8 and was used in targeted attacks in November 2011.
Public references, including Microsoft Security Advisory 2639658, McAfee analysis of Duqu, SANS mitigation guidance, and Secunia advisories 49121 and 49122, discuss available patches and workarounds for the TrueType Font Parsing Vulnerability. The flaw was exploited in the wild by the Duqu malware.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-3365
Vulnerability details
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold…
more
and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
- CWE(s)
- KEV Date Added
- 06 October 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the TrueType font parsing flaw in win32k.sys.
Malicious-code protection mechanisms can inspect or sandbox documents and web pages containing crafted TrueType fonts before kernel parsing occurs.
Integrity verification of incoming documents or font files can flag unauthorized modifications used to exploit the parsing engine.