CVE-2009-0658

HIGH EXPLOITED IN THE WILD

Adobe Reader <9.0 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-0658 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Metasploit, webDEViL, Guido Landi, including a Metasploit module exploits/windows/browser/adobe_jbig2decode.

AI-analyzed exploit summary This exploit targets a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier via a maliciously crafted PDF file. It uses JavaScript for heap spraying and leverages the JBIG2Decode filter to trigger the vulnerability.

Description

Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16672

This exploit targets a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier via a maliciously crafted PDF file. It uses JavaScript for heap spraying and leverages the JBIG2Decode filter to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Adobe Reader v9.0.0 and v8.1.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16593

This is a Metasploit module exploiting a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier via a maliciously crafted PDF with embedded JavaScript and JBIG2Decode stream. It uses heap spraying and shellcode execution to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Adobe Reader v9.0.0 and v8.1.2
No auth needed
Prerequisites: Target must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb STUB VERIFIED
by webDEViL · textdoswindows
https://www.exploit-db.com/exploits/8090

The provided content is a minimal stub referencing a crash at address 41414141, likely indicating a buffer overflow, but lacks executable code or technical details. It points to a PDF (2009-41414141.pdf) hosted on GitLab, which may contain further details.

Classification
Stub 30%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
Prerequisites: access to vulnerable application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Guido Landi · perldoswindows
https://www.exploit-db.com/exploits/8099

This exploit generates a malicious PDF file targeting CVE-2009-0658, a JBIG2Decode vulnerability in Adobe Reader. It crafts a PDF with a specially formatted JBIG2 stream to trigger a heap-based buffer overflow.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader versions prior to 9.1
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by natron · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_jbig2decode.rb

This Metasploit module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier via a maliciously crafted PDF with JBIG2Decode stream and JavaScript heap spray. It achieves remote code execution by leveraging a vulnerability in the JBIG2 image decoding process.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Adobe Reader v9.0.0 and v8.1.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by natron · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_jbig2decode.rb

This Metasploit module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier via a maliciously crafted PDF file with embedded JavaScript for heap spraying and a JBIG2Decode stream to trigger memory corruption.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Adobe Reader v9.0.0 and v8.1.2
No auth needed
Prerequisites: Target must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (26)

Core 26
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34790
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8099
Third Party Advisory x_refsource_misc
http://isc.sans.org/diary.html?n&storyid=5902
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-051A.html
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/52073
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34490
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33901
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-0376.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34392
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00005.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34706
Third Party Advisory third-party-advisory x_refsource_frsirt
http://www.vupen.com/english/advisories/2009/0472
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/905281
Third Party Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256788-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33751
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021739
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8090
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200904-17.xml
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1019

Scores

CVSS v3 7.8
EPSS 0.9229
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2009-02-20
InTheWild.io 2019-09-27
CWE
CWE-119
Status published
Products (4)
adobe/acrobat 9.0
adobe/acrobat 7.0 - 7.1.1
adobe/acrobat_reader 9.0
adobe/acrobat_reader 7.0 - 7.1.1
Published Feb 20, 2009
Tracked Since Feb 18, 2026