Vulnerability Details : CVE-2011-5046
The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability."
Vulnerability category: Memory CorruptionInput validationExecute codeDenial of service
Products affected by CVE-2011-5046
- cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:*:sp1:x86:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-5046
54.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-5046
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2011-5046
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-5046
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-008
Microsoft Security Bulletin MS12-008 - Critical | Microsoft Docs
-
http://www.exploit-db.com/exploits/18275
Apple Safari - GdiDrawStream Blue Screen of Death - Windows_x86-64 dos ExploitExploit
-
http://www.securitytracker.com/id?1026450
Windows Win32k.sys GDI Memory Corruption Error Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/71873
Microsoft Windows win32k.sys code execution CVE-2011-5046 Vulnerability Report
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14603
Repository / Oval Repository
-
http://www.us-cert.gov/cas/techalerts/TA12-045A.html
Microsoft Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://twitter.com/w3bd3vil/statuses/148454992989261824
webDEViL on Twitter: "<iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!"
Jump to