Cyber Resilience

CVE-2009-3953

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 January 2010

Published
13 January 2010
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9051 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-3953 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is an array boundary issue, tracked as CWE-787, in the U3D implementation of Adobe Reader and Acrobat. It affects versions 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4, and is distinct from CVE-2009-2994. Malformed U3D data supplied inside a PDF document can trigger the flaw.

An unauthenticated remote attacker can exploit the issue by delivering a crafted PDF to a target user. If the recipient opens the document in an affected reader, the attacker may achieve arbitrary code execution with the privileges of the current user, corresponding to a CVSS 3.1 score of 8.8.

Adobe security bulletin APSB10-02 and related vendor advisories from Secunia and OpenSUSE direct administrators to apply the vendor-supplied patches that update Reader and Acrobat to the fixed releases. Organizations should prioritize these updates on all Windows and Mac OS X installations to eliminate the affected code paths.

EU & UK References

Vulnerability details

The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related…

more

to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
7.0 — 7.1.4 · 8.0 — 8.2 · 9.0 — 9.3
suse
linux enterprise debuginfo
11
opensuse
opensuse
11.1, 11.2
suse
linux enterprise
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification and installation of vendor patches that remove the vulnerable U3D array-boundary code paths in Adobe Reader/Acrobat.

prevent

Enforces configuration settings that can disable or restrict U3D/3D PDF processing until patches are applied.

detect

Requires scanning to discover unpatched instances of Adobe Reader/Acrobat 7.x–9.x that remain exposed to the CVE-2009-3953 flaw.

References