Cyber Resilience

CVE-2009-0927

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 19 March 2009

Published
19 March 2009
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9379 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-0927 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Acrobat Reader. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is a stack-based buffer overflow, identified as CWE-121 and related to improper input validation under CWE-20, that affects Adobe Reader and Adobe Acrobat versions 9 before 9.1, 8 before 8.1.3, and 7 before 7.1.1. It is triggered specifically by a crafted argument supplied to the getIcon method of a Collab object and is distinct from CVE-2009-0658. The issue received a CVSS 3.1 score of 8.8, reflecting network-accessible attack potential with high impact on confidentiality, integrity, and availability.

Remote attackers can exploit the flaw to execute arbitrary code on a target system. Exploitation requires user interaction such as opening a malicious document, after which the overflow allows full control over the affected process without needing prior authentication or elevated privileges.

Security advisories from openSUSE and Secunia reference vendor updates that address the vulnerability by upgrading Adobe Reader and Acrobat to the fixed versions listed in the CVE description. These sources also note the availability of corresponding patches for affected distributions and installations.

EU & UK References

Vulnerability details

Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a…

more

different vulnerability than CVE-2009-0658.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat reader
7.0 — 7.1.1 · 8.0 — 8.1.3 · 9.0 — 9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of all inputs (including PDF method arguments) to block the crafted getIcon data that triggers the stack buffer overflow.

prevent

Applies memory protections that directly mitigate exploitation of the stack-based buffer overflow (CWE-121) used for arbitrary code execution.

prevent

Mandates prompt installation of the vendor patches that eliminate the vulnerable Collab.getIcon handling in Adobe Reader/Acrobat versions listed in the CVE.

References