CVE-2013-3906

Summary

CVE	CVE-2013-3906
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2013-11-06 15:55:00 UTC
Updated	2023-12-07 18:38:00 UTC
Description	GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

Risk And Classification

EPSS: 0.926280000 probability, percentile 0.997430000 (date 2026-04-02)

CISA KEV: Listed on 2022-02-15; due 2022-08-15; ransomware use Unknown

Problem Types: CWE-94

CISA Known Exploited Vulnerability

Vendor	Microsoft
Product	Graphics Component
Name	Microsoft Graphics Component Memory Corruption Vulnerability
Required Action	Apply updates per vendor instructions.
Notes	https://nvd.nist.gov/vuln/detail/CVE-2013-3906

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Microsoft	Lync	2010	All	attendee	All
Application	Microsoft	Lync	2010	All	x64	All
Application	Microsoft	Lync	2010	All	x86	All
Application	Microsoft	Lync	2013	-	x64	All
Application	Microsoft	Lync	2013	-	x86	All
Application	Microsoft	Lync	2010	All	attendee	All
Application	Microsoft	Lync	2010	All	x64	All
Application	Microsoft	Lync	2010	All	x86	All
Application	Microsoft	Lync	2013	-	x64	All
Application	Microsoft	Lync	2013	-	x86	All
Application	Microsoft	Lync Basic	2013	-	x64	All
Application	Microsoft	Lync Basic	2013	-	x86	All
Application	Microsoft	Lync Basic	2013	-	x64	All
Application	Microsoft	Lync Basic	2013	-	x86	All
Application	Microsoft	Office	2003	sp3	All	All
Application	Microsoft	Office	2007	sp3	All	All
Application	Microsoft	Office	2010	sp1	x64	All
Application	Microsoft	Office	2010	sp1	x86	All
Application	Microsoft	Office	2010	sp2	x64	All
Application	Microsoft	Office	2010	sp2	x86	All
Application	Microsoft	Office	2003	sp3	All	All
Application	Microsoft	Office	2007	sp3	All	All
Application	Microsoft	Office	2010	sp1	x64	All
Application	Microsoft	Office	2010	sp1	x86	All
Application	Microsoft	Office	2010	sp2	x64	All
Application	Microsoft	Office	2010	sp2	x86	All
Operating System	Microsoft	Windows Server 2008	All	sp2	itanium	All
Operating System	Microsoft	Windows Server 2008	All	sp2	x64	All
Operating System	Microsoft	Windows Server 2008	All	sp2	x86	All
Operating System	Microsoft	Windows Server 2008	All	sp2	itanium	All
Operating System	Microsoft	Windows Server 2008	All	sp2	x64	All
Operating System	Microsoft	Windows Server 2008	All	sp2	x86	All
Operating System	Microsoft	Windows Vista	All	sp2	All	All
Operating System	Microsoft	Windows Vista	All	sp2	x64	All
Operating System	Microsoft	Windows Vista	All	sp2	All	All
Operating System	Microsoft	Windows Vista	All	sp2	x64	All

References

Reference	Source	Link	Tags
McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office \| McAfee	MISC	blogs.mcafee.com	Exploit
Microsoft Tagged Image File Format (TIFF) Integer Overflow	EXPLOIT-DB	www.exploit-db.com	Exploit
Microsoft Security Advisory (2896666): Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution	CONFIRM	technet.microsoft.com	Patch, Vendor Advisory
CVE-2013-3906: a graphics vulnerability exploited through Word documents - Security Research & Defense - Site Home - TechNet Blogs	CONFIRM	blogs.technet.com	Exploit
Microsoft Security Bulletin MS13-096 - Critical \| Microsoft Docs	MS	docs.microsoft.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.