TP-EXP-2009-0002 CVE-2009-3459 high Patched AI Draft

Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability (CVE-2009-3459)

CVE CVE-2009-3459 Platform Adobe Acrobat and Reader Type Heap-Based Buffer Overflow

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed October 8, 2009

Patched October 13, 2009

Researcher Chia-Ching Fang (Information and Communication Security Technology Center) CISA KEV Listed

Severity Assessment

Exploitability: 7/10 - Exploitation requires a user to open a crafted PDF in a vulnerable Adobe Reader or Acrobat version; CISA also noted that browser plug-ins could automatically open PDFs hosted on a website.
Impact: 9/10 - The cited sources describe arbitrary code execution through memory corruption, with CISA warning of code execution, arbitrary file writes, local privilege escalation, or denial of service in the broader APSB09-15 vulnerability set.
Weaponization Risk: 8/10 - Adobe reported limited, targeted exploitation of CVE-2009-3459 in the wild, and NVD records exploitation in October 2009.
Patch Urgency: 10/10 - Adobe released patched versions on 2009-10-13, and CISA later added the CVE to the Known Exploited Vulnerabilities catalog with a 2026-06-03 remediation due date for covered federal systems.
Detection Coverage: 5/10 - The cited sources do not provide hashes, domains, file names, or other stable indicators, so detection depends on PDF inspection, process behavior, and patch status.

CVE-2009-3459 has a CISA ADP CVSS 3.1 base score of 8.8/10 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. NVD also lists a CVSS 2.0 base score of 9.3/10 (High).

Summary

CVE-2009-3459 is a heap-based buffer overflow in Adobe Reader and Acrobat. NVD describes affected versions as Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2. A remote attacker could trigger memory corruption with a crafted PDF file and execute arbitrary code when the document is opened in a vulnerable product.

Adobe published Security Bulletin APSB09-15 on 2009-10-13 and categorized the update as critical. The bulletin says CVE-2009-3459 could lead to code execution and notes reports of limited, targeted exploitation in the wild. Adobe credited Chia-Ching Fang of the Information and Communication Security Technology Center for the CVE.

CISA Alert TA09-286B warned that the Adobe Reader and Acrobat vulnerabilities in APSB09-15 were being actively exploited. CISA advised users to install Adobe’s updates and described temporary mitigations such as disabling JavaScript in Adobe Reader and Acrobat, preventing automatic PDF opening in Internet Explorer, disabling PDF display in browsers, and avoiding unexpected PDF documents.

CISA added CVE-2009-3459 to the Known Exploited Vulnerabilities catalog on 2026-05-20. The KEV entry lists known ransomware campaign use as Unknown and requires covered federal agencies to remediate by 2026-06-03.

Exploit Chain

Stage 1: Crafted PDF delivery

An attacker prepares a PDF document that triggers the heap-based buffer overflow described by Adobe, NVD, and CISA. CISA’s alert describes exploitation by convincing a user to open a specially crafted PDF file and notes that browser plug-ins could automatically open PDFs hosted on a website.

Stage 2: User opens the document

The target opens the PDF in a vulnerable Adobe Reader or Acrobat version. CISA’s affected-version list includes 9.1.3 and earlier 9.x releases, 8.1.6 and earlier 8.x releases, and 7.1.3 and earlier 7.x releases.

Stage 3: Memory corruption

The crafted PDF triggers heap-based memory corruption. NVD describes the weakness as a heap-based buffer overflow, and CISA’s KEV entry describes memory corruption caused by the crafted PDF.

Stage 4: Code execution

If exploitation succeeds, the attacker can execute code through the vulnerable Reader or Acrobat process. The public sources do not provide a universal post-exploitation payload, command-and-control pattern, or actor attribution for CVE-2009-3459.

Detection Guidance

Patch and exposure checks:

Inventory Adobe Reader and Acrobat installations and identify versions older than Reader/Acrobat 9.2, Acrobat 8.1.7, or Reader/Acrobat 7.1.4.
Treat vulnerable legacy installations as high-priority remediation targets, especially where users can receive external PDFs or where browser plug-ins can open PDFs automatically.

Document handling controls:

Apply CISA’s mitigation guidance for environments that cannot immediately patch: disable JavaScript in Adobe Reader and Acrobat, prevent Internet Explorer from automatically opening PDFs, and disable PDF display in the browser.
Warn users not to open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments.

Behavioral monitoring:

Monitor Adobe Reader and Acrobat crashes after opening PDF files, as failed exploitation attempts may destabilize the application.
Investigate unexpected child processes, file writes, or outbound network connections from Adobe Reader or Acrobat shortly after a PDF is opened.

Indicators of Compromise

The cited sources do not provide stable hashes, file names, command-and-control domains, IP addresses, or other universal indicators for CVE-2009-3459 exploitation.

Potential investigation leads include:

A suspicious PDF that causes Adobe Reader or Acrobat to crash.
Adobe Reader or Acrobat spawning unexpected child processes after a PDF is opened.
Unusual file writes or network connections from Adobe Reader or Acrobat following document viewing.

These indicators are behavioral leads only and should be correlated with vulnerable software versions and the source of the PDF.

Disclosure Timeline

Date	Event
2009-10-08	Adobe released an advisory that was later incorporated into APSB09-15.
2009-10-13	Adobe published Security Bulletin APSB09-15 and released Reader/Acrobat updates.
2009-10-13	CISA issued Alert TA09-286B covering the Adobe Reader and Acrobat vulnerabilities.
2009-10-13	NVD published the CVE-2009-3459 record.
2013-01-24	CISA’s TA09-286B page records its last revision.
2026-05-20	CISA added CVE-2009-3459 to the Known Exploited Vulnerabilities catalog.
2026-05-21	NVD last modified the CVE-2009-3459 record.
2026-06-03	CISA KEV remediation due date for covered federal systems.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog - CVE-2009-3459 — Cybersecurity and Infrastructure Security Agency, 2026-05-20
National Vulnerability Database: CVE-2009-3459 Detail — National Vulnerability Database, 2009-10-13
Cybersecurity and Infrastructure Security Agency: Adobe Reader and Acrobat Vulnerabilities — Cybersecurity and Infrastructure Security Agency, 2009-10-13
Adobe: Security Bulletin APSB09-15 — Adobe, 2009-10-13