What is the CVSS score of CVE-2013-3660?

CVE-2013-3660 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 69.2%.

Which versions of Microsoft are affected by CVE-2013-3660?

CVE-2013-3660 presents notable security risk, a buffer overflow vulnerability rated CVSS 7.8.. A patch is available.

Is there a public PoC exploit available for CVE-2013-3660?

Yes, a public proof-of-concept exploit is available for CVE-2013-3660. Prioritise patching immediately. EPSS: 69.2%.

How to fix or mitigate CVE-2013-3660?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Microsoft CVE-2013-3660

HIGH

Buffer Overflow (CWE-119)

2013-05-24 cve@mitre.org

Buffer Overflow Microsoft

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 01:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 01:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 01:15 nvd

Patch available

CVE Published

May 24, 2013 - 20:55 nvd

HIGH 7.8

DescriptionNVD

The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."

AnalysisAI

The EPATHOBJ::pprFlattenRec function in Windows win32k.sys fails to properly initialize list pointers, allowing local users to gain SYSTEM privileges through kernel-mode code execution on Windows XP through Windows 8.

Technical ContextAI

The CWE-119 flaw is in the GDI subsystem's path flattening code. When processing complex path objects, the pprFlattenRec function leaves a next-pointer uninitialized in certain edge cases. An attacker can fill the uninitialized memory with controlled data through heap manipulation, then trigger a write-what-where condition for kernel code execution.

RemediationAI

Apply Microsoft security update MS13-053. Implement kernel exploit mitigations available in Windows 8.1+ (SMEP, CFG).

More from same product – last 7 days

CVE-2026-10044 HIGH This Week POC

8.2 May 28

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2013-3660 vulnerability details – vuln.today

Back

Microsoft CVE-2013-3660

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code