CVE-2009-3459
published 2009-10-13CVE-2009-3459: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code…
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-03
Exploited in the wild
EPSS
86.47%
99.7th percentile
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | >= 7.0 < 7.1.4 | 7.1.4 |
| adobe | acrobat | >= 8.0 < 8.1.7 | 8.1.7 |
| adobe | acrobat | >= 9.0 < 9.2 | 9.2 |
| adobe | acrobat_reader | >= 7.0 < 7.1.4 | 7.1.4 |
| adobe | acrobat_reader | >= 8.0 < 8.1.7 | 8.1.7 |
| adobe | acrobat_reader | >= 9.0 < 9.2 | 9.2 |
Detection & IOCsextracted from sources · hover to see the quote
otherColors 1073741838
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; file.data; content:"Colors 1073741838"; fast_pattern; pcre:"/]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2009_3459, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
bytes↗
\x00\x00\x20\x00\x00\x00\x10
- →Detect crafted PDF FlateDecode streams with the anomalous Colors value 1073741838 (0x4000000E) in the stream dictionary — this is the integer overflow trigger for CVE-2009-3459. ↗
- →The exploit uses JavaScript heap spray targeting address range ~0x1000xxxx; monitor PDF files containing embedded JavaScript with large unescape() heap spray loops. ↗
- →The original in-the-wild exploit caused a crash executing address 0x70000000; this specific crash address can be used as a behavioral detection indicator. ↗
- →The exploit embeds a FlateDecode stream with BitsPerComponent set to 8 and a Predictor value of 02; look for /Predictor 2 combined with anomalous /Colors values in PDF stream dictionaries. ↗
- →Exploit payload space is 1024 bytes with null byte as bad character; shellcode is unescape-encoded within embedded PDF JavaScript. ↗
- ·The vulnerability affects Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2; version 9.2 and later are not vulnerable. ↗
- ·The Metasploit module targets Windows platforms only (Platform: win); the JS heap spray target size is (1024*1024) - 32 bytes. ↗
- ·The original in-the-wild exploit data used bpc=1 with a 7-byte payload; the Metasploit version uses bpc=8 with a 64-byte zeroed buffer and addend=9 at offsets 18 and 51 for a more reliable heap spray target address. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
cisa8.8HIGH
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Adobe Acrobat Reader up to 9.1.3 memory corruption (EDB-16546 / Nessus ID 42119)
vuldb·2026-05-20·CVSS 8.8
CVE-2009-3459 [HIGH] Adobe Acrobat Reader up to 9.1.3 memory corruption (EDB-16546 / Nessus ID 42119)
A vulnerability, which was classified as very critical, was found in Adobe Acrobat Reader. This affects an unknown function. Such manipulation leads to memory corruption.
This vulnerability is traded as CVE-2009-3459. The attack may be launched remotely. Furthermore, there is an exploit available.
You should upgrade the affected component.
GHSA
GHSA-q52p-3m33-w676: Heap-based buffer overflow in Adobe Reader and Acrobat 7
ghsa_unreviewed·2022-05-02
CVE-2009-3459 [HIGH] CWE-119 GHSA-q52p-3m33-w676: Heap-based buffer overflow in Adobe Reader and Acrobat 7
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
VulnCheck
Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2009·CVSS 9.3
CVE-2009-3459 [CRITICAL] Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
Affected: Adobe Acrobat and Reader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2009-3459; https://media.blackhat.com/bh-eu-10/presentations/Li_Lovet/BlackHat-EU-2010-Li-Lovet-Adobe-Heap-slides.pdf
CISA
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
cisa·2026-05-20·CVSS 8.8
CVE-2009-3459 [HIGH] CWE-119 Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Vulnerability: Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Affected: Adobe Acrobat and Reader
Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.cisa.gov/news-events/alerts/2009/10/13/adobe-reader-and-acrobat-vulnerabilities ; https://web.archive.org/web/20120324170253/http://www.adobe.com/support/security/bulletins/apsb09-15.html#:~:text=CVE%2D2009%2D3459).-,NOTE%3A,-There%20are%20reports ; https://nvd.nist.gov/vuln/detail/CVE
Red Hat
acroread: heap overflow fix in version 8.1.7 (APSB09-15)
vendor_redhat·2009-10-08·CVSS 9.3
CVE-2009-3459 [CRITICAL] acroread: heap overflow fix in version 8.1.7 (APSB09-15)
acroread: heap overflow fix in version 8.1.7 (APSB09-15)
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
Suricata
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
suricata·2011-07-01
CVE-2009-3459 ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; file.data; content:"Colors 1073741838"; fast_pattern; pcre:"/]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, cve CVE_2009_3459, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Exploit-DB
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
exploitdb·2010-09-25
CVE-2009-3459 Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
---
##
# $Id: adobe_flatedecode_predictor02.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe FlateDecode Stream Predictor 02 Integer Overflow',
'Description' => %q{
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe
Acrobat Professional versions before 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'jduck'
],
'Version' => '$Revi
Exploit-DB
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (1)
exploitdb·2010-09-20
CVE-2009-3459 Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (1)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (1)
---
##
# $Id: adobe_flatedecode_predictor02.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe FlateDecode Stream Predictor 02 Integer Overflow',
'Description' => %q{
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe
Acrobat Professional versions before 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'jduck',
'jabra'
],
'Versio
Metasploit
Adobe FlateDecode Stream Predictor 02 Integer Overflow
metasploit
Adobe FlateDecode Stream Predictor 02 Integer Overflow
Adobe FlateDecode Stream Predictor 02 Integer Overflow
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.
Hackernews
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
blogs_hackernews·2026-05-21·CVSS 7.8
CVE-2026-41091 [HIGH] Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.
The former, tracked as CVE-2026-41091 , is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges.
"Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft said in an advisory.
The second vulnerability under exploitation is CVE-2026-45498 (CVSS score:
Bugzilla
CVE-2009-3459 acroread: heap overflow fix in version 8.1.7 (APSB09-15)
bugzilla·2009-10-08·CVSS 9.3
CVE-2009-3459 [CRITICAL] CVE-2009-3459 acroread: heap overflow fix in version 8.1.7 (APSB09-15)
CVE-2009-3459 acroread: heap overflow fix in version 8.1.7 (APSB09-15)
Adobe has published a security bulletin APSB09-15 for heap overflow issue,
leading to arbitrary code execution, addressed in Adobe Reader and Acrobat
products:
http://www.adobe.com/support/security/bulletins/apsb09-15.html
Quoting Adobe bulletin APSB09-15 for issue descriptions:
This update resolves a heap overflow vulnerability that could lead
to code execution (CVE-2009-3459).
Discussion:
This issue has been addressed in following products:
Extras for RHEL 3
Extras for RHEL 4
Extras for Red Hat Enterprise Linux 5
Via RHSA-2009:1499 https://rhn.redhat.com/errata/RHSA-2009-1499.html
http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.htmlhttp://isc.sans.org/diary.html?storyid=7300http://secunia.com/advisories/36983http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.iss.net/threats/348.htmlhttp://www.securityfocus.com/bid/36600http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2851http://www.vupen.com/english/advisories/2009/2898https://exchange.xforce.ibmcloud.com/vulnerabilities/53691https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6534http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.htmlhttp://isc.sans.org/diary.html?storyid=7300http://secunia.com/advisories/36983http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.iss.net/threats/348.htmlhttp://www.securityfocus.com/bid/36600http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2851http://www.vupen.com/english/advisories/2009/2898https://exchange.xforce.ibmcloud.com/vulnerabilities/53691https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6534https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3459
2009-10-13
Published
2026-05-20
Added to CISA KEV
Exploited in the wild