Cyber Resilience

CVE-2011-3402

HighCISA KEVActive ExploitationEUVD Exploited

Published: 04 November 2011

Published
04 November 2011
Modified
22 April 2026
KEV Added
06 October 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8831 99.5th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2011-3402 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability CVE-2011-3402 is an unspecified flaw in the TrueType font parsing engine in win32k.sys within the kernel-mode drivers. It affects Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1.

Remote attackers can exploit the issue by supplying crafted font data in a Word document or web page, resulting in arbitrary code execution. The vulnerability carries a CVSS score of 8.8 and was used in targeted attacks in November 2011.

Public references, including Microsoft Security Advisory 2639658, McAfee analysis of Duqu, SANS mitigation guidance, and Secunia advisories 49121 and 49122, discuss available patches and workarounds for the TrueType Font Parsing Vulnerability. The flaw was exploited in the wild by the Duqu malware.

EU & UK References

Vulnerability details

Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold…

more

and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."

CWE(s)
KEV Date Added
06 October 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 7
all versions
microsoft
windows server 2003
all versions
microsoft
windows server 2008
all versions
microsoft
windows vista
all versions
microsoft
windows xp
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the TrueType font parsing flaw in win32k.sys.

preventdetect

Malicious-code protection mechanisms can inspect or sandbox documents and web pages containing crafted TrueType fonts before kernel parsing occurs.

detect

Integrity verification of incoming documents or font files can flag unauthorized modifications used to exploit the parsing engine.

References