CVE-2010-3970

Windows XP/2003/Vista/2008 - Remote Code Execution via Crafted Thumbnail Bitmap

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3970. PoCs published by Metasploit, Moti & Xu Hao, Yaniv Miron aka Lament of ilhack, jduck, including Metasploit module exploits/windows/fileformat/ms11_006_createsizeddibsection.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in Microsoft Windows' handling of thumbnails in .MIC files and Office documents via a negative 'biClrUsed' value, leading to arbitrary code execution when viewed in 'Thumbnails' mode.

Description

Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unspecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao, aka "Windows Shell Graphics Processing Overrun Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16660

This Metasploit module exploits a stack-based buffer overflow in Microsoft Windows' handling of thumbnails in .MIC files and Office documents via a negative 'biClrUsed' value, leading to arbitrary code execution when viewed in 'Thumbnails' mode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (2000, XP SP3, Server 2003 SP2)
No auth needed
Prerequisites: Folder containing the malicious document must be viewed in 'Thumbnails' mode
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GREAT
by Moti & Xu Hao, Yaniv Miron aka Lament of ilhack, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb

This Metasploit module exploits a stack-based buffer overflow in Microsoft Windows via malformed .MIC or Office documents with a negative 'biClrUsed' value in thumbnail bitmaps, leading to arbitrary code execution when viewed in 'Thumbnails' mode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (2000, XP SP3, etc.)
No auth needed
Prerequisites: Victim must open a maliciously crafted file in a folder viewed with 'Thumbnails' mode
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/106516
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11671
Various Sources x_refsource_misc
http://www.powerofcommunity.net/speaker.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0018
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42779
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/45662
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024932

Scores

EPSS 0.6769
EPSS Percentile 99.2%

Details

CWE
CWE-119
Status published
Products (4)
microsoft/windows_server_2003
microsoft/windows_server_2008 (6 CPE variants)
microsoft/windows_vista (2 CPE variants)
microsoft/windows_xp (2 CPE variants)
Published Dec 22, 2010
Tracked Since Feb 18, 2026