CVE-2010-2738

Microsoft Windows and Office - Remote Code Execution via Malformed OpenType Font Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-2738. PoCs published by Abysssec.

AI-analyzed exploit summary This exploit generates a malformed TTF font file by modifying specific fields in the 'cmap' table to trigger a vulnerability in the Microsoft Unicode Scripts Processor (usp10.dll). The crafted font file can lead to remote code execution when processed by vulnerable systems.

Description

The Uniscribe (aka new Unicode Script Processor) implementation in USP10.DLL in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2, and Microsoft Office XP SP3, 2003 SP3, and 2007 SP2, does not properly validate tables associated with malformed OpenType fonts, which allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) Office document, aka "Uniscribe Font Parsing Engine Memory Corruption Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Abysssec · pythondoswindows

https://www.exploit-db.com/exploits/15158

View Code ZIP pw:eip

This exploit generates a malformed TTF font file by modifying specific fields in the 'cmap' table to trigger a vulnerability in the Microsoft Unicode Scripts Processor (usp10.dll). The crafted font file can lead to remote code execution when processed by vulnerable systems.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Unicode Scripts Processor (usp10.dll) on Windows XP and Vista

No auth needed

Prerequisites: Access to the target system to deliver the malformed font file

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-063

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7214

Scores

EPSS 0.1854

EPSS Percentile 96.9%

Details

CWE

CWE-20

Status published

Products (7)

microsoft/office 2003 sp3

microsoft/office 2007 sp2

microsoft/office xp sp3

microsoft/windows_server_2003

microsoft/windows_server_2008 (7 CPE variants)

microsoft/windows_vista (4 CPE variants)

microsoft/windows_xp (2 CPE variants)

Published Sep 15, 2010

Tracked Since Feb 18, 2026