cbcvebase.
CVE-2009-3459
published 2009-10-13

CVE-2009-3459: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code…

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
86.47%
99.7th percentile
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.

Affected

6 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 7.0 < 7.1.47.1.4
adobeacrobat>= 8.0 < 8.1.78.1.7
adobeacrobat>= 9.0 < 9.29.2
adobeacrobat_reader>= 7.0 < 7.1.47.1.4
adobeacrobat_reader>= 8.0 < 8.1.78.1.7
adobeacrobat_reader>= 9.0 < 9.29.2

Detection & IOCsextracted from sources · hover to see the quote

otherColors 1073741838
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; file.data; content:"Colors 1073741838"; fast_pattern; pcre:"/]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2009_3459, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
bytes
\x00\x00\x20\x00\x00\x00\x10
  • Detect crafted PDF FlateDecode streams with the anomalous Colors value 1073741838 (0x4000000E) in the stream dictionary — this is the integer overflow trigger for CVE-2009-3459.
  • The exploit uses JavaScript heap spray targeting address range ~0x1000xxxx; monitor PDF files containing embedded JavaScript with large unescape() heap spray loops.
  • The original in-the-wild exploit caused a crash executing address 0x70000000; this specific crash address can be used as a behavioral detection indicator.
  • The exploit embeds a FlateDecode stream with BitsPerComponent set to 8 and a Predictor value of 02; look for /Predictor 2 combined with anomalous /Colors values in PDF stream dictionaries.
  • Exploit payload space is 1024 bytes with null byte as bad character; shellcode is unescape-encoded within embedded PDF JavaScript.
  • ·The vulnerability affects Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2; version 9.2 and later are not vulnerable.
  • ·The Metasploit module targets Windows platforms only (Platform: win); the JS heap spray target size is (1024*1024) - 32 bytes.
  • ·The original in-the-wild exploit data used bpc=1 with a 7-byte payload; the Metasploit version uses bpc=8 with a 64-byte zeroed buffer and addend=9 at offsets 18 and 51 for a more reliable heap spray target address.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
cisa8.8HIGH
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.