Search
On this page ▾
CVE-2016-7256 — Microsoft Windows Open Type Font Remote Code Execution Vulnerability

CVE-2016-7256

Windows Font Library — Malformed OpenType Font in Web Page or Document Triggers Memory Corruption Enabling RCE; Patched MS16-132 (November 2016)
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is the Windows Font Library?

Windows includes a comprehensive font rendering subsystem that processes dozens of font formats — TrueType, OpenType, Type 1, and others — in both user-mode (GDI+, DirectWrite) and kernel-mode (atmfd.dll, win32k.sys) components. OpenType is the modern font format supported by all major operating systems and browsers. Windows renders OpenType fonts in web browsers (embedded via CSS), Office documents, and any application that displays text. Because font rendering code runs during normal browsing and document viewing — triggered automatically by content without user interaction beyond opening a page or file — font vulnerabilities have historically been among the most reliable vectors for drive-by code execution.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-7256 is a memory corruption vulnerability in the Windows font library that allows remote code execution when a user views content containing a specially crafted embedded OpenType font. An attacker who embeds a malformed OpenType font in a web page or document can trigger memory corruption in Windows font parsing code, potentially executing arbitrary code at the privilege level of the user. The attack requires no authentication and is triggered by browsing to a malicious page or opening a crafted document — making it suitable for drive-by and phishing delivery. Patched in MS16-132 (November 8, 2016). CISA added CVE-2016-7256 to the KEV catalog in May 2022.

Affected Versions

Windows Version Status
Windows Vista SP2 Vulnerable
Windows Server 2008 SP2 / R2 SP1 Vulnerable
Windows 7 SP1 Vulnerable
Windows 8.1 Vulnerable
Windows RT 8.1 Vulnerable
Windows Server 2012 / 2012 R2 Vulnerable
Windows 10 (versions 1507–1607) Vulnerable
Windows Server 2016 Vulnerable
All above with MS16-132 applied Fixed

Technical Details

Root Cause: OpenType Font Parsing Memory Corruption

CVE-2016-7256 is a memory buffer vulnerability (CWE-119) in Windows's OpenType font parsing library. Windows's font subsystem — historically including the kernel-mode Adobe Type Manager Font Driver (atmfd.dll) and GDI font rendering — processes OpenType font tables to render text. OpenType fonts are structured binary files containing many interdependent data tables (cmap, glyf, head, OS/2, kern, etc.) with cross-references between them.

Font corruption exploitation path:

  1. Attacker crafts a malformed OpenType font — embedding malformed length fields, invalid table offsets, or corrupt data structures in the font binary
  2. User views content with the embedded font — a web page (@font-face CSS) or Office document embeds the malicious font
  3. Windows font parser processes the font — the font library reads the malformed data, performing incorrect bounds checking or treating an invalid field as a valid size/offset
  4. Memory corruption occurs — the parser reads or writes beyond allocated buffer bounds
  5. Code execution — the corruption lands on exploitable memory structures enabling arbitrary code execution

Font Attack Surface

OpenType font vulnerabilities are particularly impactful because:

  • Automatic processing: Browsers and Office automatically load and render embedded fonts without user prompting
  • Kernel-mode processing: Windows's atmfd.dll font driver runs in kernel mode; font vulnerabilities in the kernel component can directly escalate to kernel privilege, bypassing user-mode mitigations
  • Universal deployment: Font rendering is present in every Windows installation and cannot be disabled without breaking all text rendering

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious web page or email attachment
User Interaction Required — view content with embedded font
Authentication None required
Delivery @font-face CSS, embedded Office document font
Kernel Risk atmfd.dll kernel-mode exposure on older Windows versions

Discovery

Identified through Microsoft's security research; patched in November 2016 Patch Tuesday (MS16-132) alongside multiple other Windows graphics component vulnerabilities including GDI and MPEG-related issues.

Exploitation Context

  • Drive-by web delivery: Embedding malicious OpenType fonts via CSS @font-face allows drive-by exploitation of any user browsing to the attacker's web page, with no interaction beyond loading the page in a browser
  • Document-borne delivery: Office documents can embed OpenType fonts; malicious fonts in .docx or .xlsx files trigger the vulnerability when the document is opened in Word or Excel — enabling document-based phishing attacks
  • Kernel-mode legacy font rendering: On older Windows versions, atmfd.dll's kernel-mode processing of OpenType fonts provided a path to kernel-level privilege; Microsoft began deprecating atmfd.dll in Windows 10 and removed it in 2020 (following CVE-2020-1020, another font RCE)
  • CISA KEV (2022): Added May 2022, reflecting documented exploitation of this font parsing vulnerability in targeted attacks

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS16-132 — install the November 2016 Windows security update for the Graphics Component via Windows Update, WSUS, or MECM. All subsequent Windows cumulative updates include this fix.

  2. Keep Windows fully updated — Windows cumulative updates include all prior font library and graphics component security patches.

  3. Disable the Adobe Type Manager Font Driver (atmfd.dll) if possible — on Windows 7/2008 systems where it cannot be patched, disabling atmfd.dll eliminates kernel-mode font processing exposure (though this may affect rendering of some fonts):

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v DisableATMFD /t REG_DWORD /d 1 /f

  4. Enable Enhanced Protected Mode in Internet Explorer — EPM limits IE's ability to load kernel-mode font drivers from web content, reducing font exploitation exposure in the browser.

  5. Block external font loading at web proxy — enterprise web proxies can block @font-face loading from external domains, reducing drive-by font exploitation attack surface for managed workstations.

Key Details

PropertyValue
CVE ID CVE-2016-7256
Vendor / Product Microsoft — Windows
NVD Published2016-11-10
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2016-11-08Microsoft releases MS16-132 patching CVE-2016-7256 (Windows OpenType font memory corruption)
2016-11-10CVE-2016-7256 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-7256 Vulnerability Database
CISA KEV Catalog Entry US Government
MS16-132 — Security Update for Microsoft Graphics Component (November 2016) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML