CVE-2009-3459

HIGH CISA KEV EPSS 99.7%
Published Oct 13, 200916y ago · Modified May 21, 20261mo ago
8.8 CVSS 3.1
High
Find Similar
Published Oct 13, 2009 16y ago
Last Modified May 21, 2026 1mo ago
KEV Listed May 20, 2026 1mo ago
KEV Due Jun 3, 2026 27d overdue

Description

Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

CISA Known Exploited Overdue 27d
Added
May 20, 2026
Due
Jun 3, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
99.7% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 2

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety
CWE-122

Affected Products 6

VendorProductVersionRange
adobeacrobat*≥7.0  –  <7.1.4
adobeacrobat*≥8.0  –  <8.1.7
adobeacrobat*≥9.0  –  <9.2
adobeacrobat_reader*≥7.0  –  <7.1.4
adobeacrobat_reader*≥8.0  –  <8.1.7
adobeacrobat_reader*≥9.0  –  <9.2

References 13

  • blogs.adobe.com http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
    Vendor AdvisoryBroken Link
  • isc.sans.org http://isc.sans.org/diary.html?storyid=7300
    Not Applicable
  • secunia.com http://secunia.com/advisories/36983
    Vendor Advisory
  • securitytracker.com http://securitytracker.com/id?1023007
    Broken Link
  • adobe.com http://www.adobe.com/support/security/bulletins/apsb09-15.html
    PatchVendor Advisory
  • iss.net http://www.iss.net/threats/348.html
    Broken Link
  • securityfocus.com http://www.securityfocus.com/bid/36600
    Broken Link
  • us-cert.gov http://www.us-cert.gov/cas/techalerts/TA09-286B.html
    US Government Resource
  • vupen.com http://www.vupen.com/english/advisories/2009/2851
    Vendor Advisory
  • vupen.com http://www.vupen.com/english/advisories/2009/2898
    Vendor Advisory
  • exchange.xforce.ibmcloud.com https://exchange.xforce.ibmcloud.com/vulnerabilities/53691
    Third Party AdvisoryVDB Entry
  • oval.cisecurity.org https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6534
    Broken Link
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3459
    US Government Resource

Remediation

  • adobe.com http://www.adobe.com/support/security/bulletins/apsb09-15.html
    PatchVendor Advisory