CISA has added a 2009-era heap-based buffer overflow in Adobe Acrobat and Reader to the Known Exploited Vulnerabilities catalog, citing in-the-wild exploitation via crafted PDF files.
What Is It
CVE-2009-3459 is a heap-based buffer overflow (CWE-119; secondary CWE-122) in Adobe Reader and Acrobat. According to NVD, a crafted PDF file triggers memory corruption that allows a remote attacker to execute arbitrary code. The vulnerability was originally disclosed and exploited in the wild in October 2009. NVD currently rates it CVSS 3.1 8.8 (HIGH) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and CVSS 2.0 9.3. User interaction (opening the malicious PDF) is required.
Why It Matters
CISA added CVE-2009-3459 to the KEV catalog on 2026-05-20, confirming active exploitation. The NVD description explicitly notes the flaw was "exploited in the wild in October 2009," and the KEV listing renews that signal. Successful exploitation yields arbitrary code execution in the context of the user opening the PDF, with HIGH impact across confidentiality, integrity, and availability. Known ransomware campaign use is listed as "Unknown" by CISA. Because PDFs remain a routine delivery vector for phishing and document-borne malware, an unpatched Acrobat/Reader install is a direct path to endpoint compromise.
What's Vulnerable
Per NVD, the affected products are:
- Adobe Reader and Acrobat 7.x prior to 7.1.4
- Adobe Reader and Acrobat 8.x prior to 8.1.7
- Adobe Reader and Acrobat 9.x prior to 9.2
NVD's CPE configuration also enumerates a broad range of earlier Acrobat versions (3.x through 6.x) as vulnerable.
Patch Status
Adobe addressed the issue in Reader and Acrobat 7.1.4, 8.1.7, and 9.2, per security bulletin APSB09-15. CISA's required action is to "apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." The KEV due date for federal civilian agencies is 2026-06-03. Given the age of the affected branches, organizations still running any of these versions should upgrade to a currently supported Adobe Acrobat/Reader release rather than rely on the original 2009 point patches.