Cyber Resilience

CVE-2016-7256

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 November 2016

Published
10 November 2016
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5551 98.1th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-7256 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2016-7256 resides in atmfd.dll in the Windows font library and affects Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold 1511 and 1607, and Windows Server 2016. It is described as an Open Type Font Remote Code Execution Vulnerability that can be triggered through specially crafted input.

Remote attackers can exploit the flaw by serving a crafted web site to a victim, achieving arbitrary code execution on the target system. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no required privileges, required user interaction, and high impact to confidentiality, integrity, and availability.

Microsoft security bulletin MS16-132 supplies patches that address the issue across the listed Windows versions and includes associated mitigation guidance.

EU & UK References

Vulnerability details

atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows…

more

Server 2016 allows remote attackers to execute arbitrary code via a crafted web site, aka "Open Type Font Remote Code Execution Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1511
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely application of the vendor patches supplied in MS16-132 that eliminate the atmfd.dll parsing flaw.

prevent

Enforces validation of untrusted OpenType font input before it reaches atmfd.dll, blocking the crafted data that triggers remote code execution.

preventdetect

Provides malicious-code detection and blocking mechanisms that can identify and stop exploitation attempts delivered via malicious web-served fonts.

References