CVE-2007-1211

Microsoft Windows 2000 SP4, XP SP2, Server 2003 Gold/SP1/SP2 - Denial of Service via Crafted WMF Image

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2007-1211.

AI-analyzed exploit summary The provided entry is a placeholder with no actual exploit code, only a link to an external download. This is characteristic of suspicious repositories that lure researchers into downloading potentially malicious files.

Description

Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.

Exploits (3)

exploitdb SUSPICIOUS
remotewindows
https://www.exploit-db.com/exploits/3804

The provided entry is a placeholder with no actual exploit code, only a link to an external download. This is characteristic of suspicious repositories that lure researchers into downloading potentially malicious files.

Classification
Suspicious 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Microsoft Windows (GDI)
No auth needed
Prerequisites: N/A
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3755

This exploit leverages a GDI local privilege escalation vulnerability (CVE-2007-1211) by manipulating a palette object's kernel pointer in shared memory, allowing arbitrary code execution in kernel mode. The PoC demonstrates the attack by hooking the GetNearestPaletteIndex function and executing a CLI/STI instruction sequence.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 2000/XP (pre-MS07-017 patch)
No auth needed
Prerequisites: Local access to the target system · Unpatched Windows 2000/XP system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3688

This exploit demonstrates a local privilege escalation (LPE) vulnerability in Windows GDI (CVE-2007-1211) by manipulating the GDI table to overwrite a win32k.sys SSDT entry, allowing arbitrary code execution in kernel mode. The PoC allocates memory at address 0x2, copies a payload, and triggers the vulnerability via DeleteObject.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows XP SP2 (GDI)
No auth needed
Prerequisites: Local access to a vulnerable Windows XP SP2 system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1215
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1571
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017843
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23275
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/466186/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33258
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=499

Scores

EPSS 0.7382
EPSS Percentile 98.8%

Details

CWE
CWE-399
Status published
Products (5)
microsoft/windows_2000
microsoft/windows_2003_server gold (3 CPE variants)
microsoft/windows_2003_server sp1 (2 CPE variants)
microsoft/windows_2003_server sp2 (3 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Apr 04, 2007
Tracked Since Feb 18, 2026