Cyber Resilience

CVE-2009-4324

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 December 2009

Published
15 December 2009
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9286 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-4324 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the Doc.media.newPlayer method of Multimedia.api that affects Adobe Reader and Acrobat 9.x before 9.3 and 8.x before 8.2 on Windows and Mac OS X. It is triggered when processing crafted PDF files that employ ZLib compressed streams and carries a CVSS 3.1 score of 7.8.

Remote attackers can exploit the issue by supplying a malicious PDF that causes the application to reference freed memory, resulting in arbitrary code execution under the privileges of the current user. The attack requires the victim to open the document and was observed being used in the wild during December 2009.

Adobe's security advisory and subsequent vendor bulletins direct users to apply the fixes released in Reader and Acrobat 9.3 and 8.2; organizations are also advised to disable JavaScript and multimedia features where feasible until patches can be deployed.

EU & UK References

Vulnerability details

Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib…

more

compressed streams, as exploited in the wild in December 2009.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
8.0 — 8.2 · 9.0 — 9.3
adobe
acrobat reader
8.0 — 8.2 · 9.0 — 9.3
suse
linux enterprise debuginfo
11
opensuse
opensuse
11.1, 11.2
suse
linux enterprise
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches (Reader/Acrobat 9.3/8.2) that eliminate the use-after-free flaw before a malicious PDF can be exploited.

prevent

Mandates disabling non-essential features such as JavaScript and multimedia processing in Adobe Reader until patches are deployed, blocking the attack vector described in the CVE.

SC-18 Mobile Code partial match
prevent

Restricts or monitors execution of mobile code (PDF-embedded JavaScript and ZLib streams) that the Doc.media.newPlayer method processes to achieve arbitrary code execution.

References