What is win32k.sys?
win32k.sys is the Windows kernel-mode driver that implements the core Win32 subsystem — graphics rendering, window management, and font processing. Because it runs in kernel mode with full system privileges, vulnerabilities in win32k.sys allow code execution at the highest privilege level on the machine. TrueType font parsing is handled deep within win32k.sys, and the complexity of the TrueType specification made font parsers a rich source of critical kernel vulnerabilities throughout the 2000s and 2010s.
Overview
CVE-2011-3402 is a remote code execution vulnerability in the TrueType font parsing engine within win32k.sys. Processing a maliciously crafted TrueType font embedded in a Word document or loaded from a web page triggers the vulnerability and allows arbitrary code execution at the kernel level. This is the vulnerability used by Duqu — a highly sophisticated malware widely attributed to a nation-state actor and believed to share code with Stuxnet — as its initial compromise vector against industrial control system manufacturers.
Microsoft released Security Advisory 2639658 with a FixIt workaround on November 3, 2011, followed by the full patch MS11-087 on December 13, 2011 (an out-of-band emergency release, not part of the regular Patch Tuesday cycle).
Affected Versions
| Operating System | Affected |
|---|---|
| Windows XP SP3 | Yes |
| Windows XP x64 Edition SP2 | Yes |
| Windows Server 2003 SP2 (all editions) | Yes |
| Windows Vista SP2 | Yes |
| Windows Server 2008 SP2 | Yes |
| Windows 7 (RTM and SP1) | Yes |
| Windows Server 2008 R2 (RTM and SP1) | Yes |
Technical Details
The TrueType font format is a complex binary specification with numerous table types and rendering hints. The vulnerability in win32k.sys involved improper handling of certain data fields within a TrueType font table — processing a specially crafted value triggered an exploitable condition (memory corruption) in kernel mode.
Attack delivery vectors:
- Word document: Malicious TrueType font embedded in a
.docfile; opening the document in Microsoft Word triggered font rendering inwin32k.sys - Web page: A web page referencing a malicious TrueType font (via CSS
@font-faceor embedded in a page element) could trigger the vulnerability when rendered in Internet Explorer
Because the vulnerable code runs in the kernel, successful exploitation grants full SYSTEM-level access — bypassing any user-mode security controls, sandboxes, or privilege restrictions.
Discovery
Duqu was discovered by the Laboratory of Cryptography and System Security (CrySyS) at Budapest University of Technology and Economics in September–October 2011. Analysis of Duqu's dropper component revealed the TrueType font zero-day as the initial infection mechanism. CrySyS coordinated disclosure with Microsoft and Symantec, leading to Microsoft's Security Advisory 2639658 and ultimately the emergency MS11-087 patch.
Exploitation Context
This CVE's significance is inseparable from Duqu. Duqu was a highly sophisticated Remote Access Trojan and reconnaissance tool, widely believed to be developed by the same threat actor responsible for Stuxnet — the nation-state malware that physically sabotaged Iranian nuclear centrifuges. Duqu appeared to be a precursor tool for gathering intelligence about industrial control systems and their supply chain.
Duqu was delivered via malicious Word documents sent to specific, carefully chosen targets at companies in the industrial control system and critical infrastructure sectors. The TrueType zero-day provided kernel-level access on contact — no further privilege escalation was required.
CISA added CVE-2011-3402 to the KEV catalog in October 2025 — a retroactive addition reflecting renewed acknowledgment of confirmed nation-state exploitation, likely prompted by ongoing use of the Duqu techniques in attribution research and threat intelligence.
Remediation
- Apply MS11-087 (December 2011 emergency patch) on all affected systems — or verify it was already applied as part of normal patch management
- For systems where patching is not yet possible, apply the FixIt workaround from Security Advisory 2639658 to disable TrueType font processing
- Windows XP and Server 2003 are end-of-life — any remaining deployments should be isolated from all untrusted input (documents, web access) and migrated immediately
- Block delivery of Office documents from untrusted external sources at the email gateway
- Disable embedding of custom fonts in browser via Group Policy (Internet Explorer font download setting) as a defense-in-depth measure
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2011-3402 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2011-11-04 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2025-10-06 |
| CISA KEV Deadline | 2025-10-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2011-09 | Duqu malware samples discovered by CrySyS Lab (Hungary) in targeted attacks against industrial control system manufacturers |
| 2011-10-14 | CrySyS Lab and Symantec publish Duqu analysis; TrueType font zero-day identified as initial access vector |
| 2011-11-03 | Microsoft releases FixIt workaround (Security Advisory 2639658) to disable TrueType font parsing |
| 2011-11-04 | CVE-2011-3402 published |
| 2011-12-13 | Microsoft releases out-of-band emergency patch MS11-087 |
| 2025-10-06 | Added to CISA Known Exploited Vulnerabilities catalog (retroactive KEV addition) |
| 2025-10-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2011-3402 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS11-087 | Vendor Advisory |
| Microsoft Security Advisory 2639658 | Vendor Advisory |