CVE-2009-0689

K-Meleon 1.5.3 - Heap-Based Buffer Overflow via Large Precision Value in printf Format Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 12 public exploits for CVE-2009-0689. PoCs published by Maksymilian Arciemowicz, Maksymilian Arciemowicz & sp3x, Alin Rad Pop.

AI-analyzed exploit summary This code is a minimal stub demonstrating the strtod function call with a malformed input string, which was reported to trigger a memory corruption vulnerability in Mac OS X 10.5 and 10.6. However, it lacks exploit payloads or mechanisms to achieve arbitrary code execution.

Description

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

Exploits (12)

exploitdb STUB VERIFIED
by Maksymilian Arciemowicz · cdososx
https://www.exploit-db.com/exploits/33479

This code is a minimal stub demonstrating the strtod function call with a malformed input string, which was reported to trigger a memory corruption vulnerability in Mac OS X 10.5 and 10.6. However, it lacks exploit payloads or mechanisms to achieve arbitrary code execution.

Classification
Stub 80%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: Mac OS X 10.5 and 10.6
No auth needed
Prerequisites: None
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz · textdoslinux
https://www.exploit-db.com/exploits/33480

This exploit leverages a memory corruption vulnerability in MATLAB R2009b due to improper bounds-checking of array indices. The PoC uses a PHP script to generate a large string to trigger the vulnerability, potentially leading to arbitrary code execution.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: MATLAB R2009b
No auth needed
Prerequisites: Access to a system running MATLAB R2009b · Ability to deliver the malicious input to the application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz · textremotemultiple
https://www.exploit-db.com/exploits/33363

This exploit leverages a memory corruption vulnerability in Opera Web Browser by creating an extremely long floating-point number in JavaScript, which can lead to remote code execution or denial-of-service conditions.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Opera Web Browser 10.01
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit code
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz · textremotelinux
https://www.exploit-db.com/exploits/33364

This exploit leverages a memory corruption vulnerability in KDELibs by crafting a maliciously large floating-point number in JavaScript, which can lead to remote code execution or denial-of-service conditions.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: KDE KDELibs 4.3.3
No auth needed
Prerequisites: A vulnerable version of KDELibs · Ability to inject JavaScript into a rendered context
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz & sp3x · textdoslinux
https://www.exploit-db.com/exploits/10184

The exploit demonstrates a remote array overrun vulnerability in KDELibs 4.3.3 due to a flaw in the dtoa implementation, allowing arbitrary code execution via a crafted JavaScript float value.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: KDELibs 4.3.3 (Konqueror)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Konqueror
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz & sp3x · textdosbsd
https://www.exploit-db.com/exploits/10185

The exploit demonstrates a remote array overrun vulnerability in SeaMonkey 1.1.18 due to a flaw in the dtoa implementation, allowing arbitrary code execution via a crafted JavaScript float value.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: SeaMonkey 1.1.18
No auth needed
Prerequisites: Victim must visit a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz & sp3x · textdosbsd
https://www.exploit-db.com/exploits/10187

This exploit leverages a dtoa implementation flaw in Opera 10.01, causing an array overrun via a maliciously crafted floating-point number in JavaScript, leading to arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Opera 10.01 and 10.10 Beta
No auth needed
Prerequisites: Victim must visit a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz & sp3x · textdosbsd
https://www.exploit-db.com/exploits/10186

This exploit demonstrates a remote array overrun vulnerability in K-Meleon 1.5.3 due to improper handling of long float numbers in the dtoa implementation, leading to arbitrary code execution. The PoC uses a JavaScript snippet to trigger the vulnerability by creating an excessively long float value.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: K-Meleon 1.5.3
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Alin Rad Pop · textdoslinux
https://www.exploit-db.com/exploits/33312

This exploit leverages a heap-based buffer overflow in Mozilla Firefox by using a maliciously crafted JavaScript script with an extremely long string to trigger arbitrary code execution or denial-of-service conditions.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Mozilla Firefox (versions affected by CVE-2009-0689)
No auth needed
Prerequisites: Victim must visit a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maksymilian Arciemowicz · textdosmultiple
https://www.exploit-db.com/exploits/33058

The exploit demonstrates a memory corruption vulnerability in multiple BSD distributions due to improper bounds-checking in printf's floating-point formatting. The PoC triggers the issue using crafted format strings, potentially leading to arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenBSD 4.5, NetBSD 5.0, FreeBSD 6.4 and 7.2
No auth needed
Prerequisites: Access to execute commands on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Maksymilian Arciemowicz & sp3x · perlremotewindows
https://www.exploit-db.com/exploits/10380

This is a detailed writeup describing a remote array overrun vulnerability in Mozilla Sunbird 0.9, leading to arbitrary code execution. The vulnerability is due to an issue in the dtoa implementation in js3250.dll, allowing memory corruption via crafted float values.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Mozilla Sunbird 0.9
No auth needed
Prerequisites: A vulnerable version of Mozilla Sunbird 0.9 · Ability to deliver a malicious .ics file to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 83 stars
by Fullmetal5 · poc
https://github.com/Fullmetal5/str2hax

This repository contains a functional exploit for CVE-2009-0689, targeting a vulnerability in the Wii's str2hax exploit chain. It includes a chain builder, loader, and payload components designed to achieve remote code execution by manipulating heap structures and executing crafted instructions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Nintendo Wii (str2hax vulnerability)
No auth needed
Prerequisites: Access to a vulnerable Wii console · Ability to deliver the crafted exploit payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (53)

Core 53
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=516862
Vendor Advisory x_refsource_confirm
http://www.opera.com/support/kb/view/942/
Vendor Advisory x_refsource_misc
http://secunia.com/secunia_research/2009-35/
Exploit third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/63
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507979/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/78
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0153.html
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/75
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39001
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507977/100/0/threaded
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4225
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/73
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/72
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0094
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0648
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0650
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3299
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1601.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508423/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0312.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37683
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38977
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/69
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0154.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=516396
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37682
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38066
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-915-1
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508417/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0311.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3297
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/76
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37431
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/81
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/71
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1022478
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
Patch, Vendor Advisory x_refsource_confirm
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3334
Third Party Advisory third-party-advisory x_refsource_sreasonres
http://securityreason.com/achievement_securityalert/77
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:294
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35510

Scores

EPSS 0.2817
EPSS Percentile 97.9%

Details

CWE
CWE-119
Status published
Products (24)
freebsd/freebsd 6.4 (7 CPE variants)
freebsd/freebsd 7.2 (3 CPE variants)
k-meleon_project/k-meleon 1.5.3
mozilla/firefox 3.0.1
mozilla/firefox 3.0.2
mozilla/firefox 3.0.3
mozilla/firefox 3.0.4
mozilla/firefox 3.0.5
mozilla/firefox 3.0.6
mozilla/firefox 3.0.7
... and 14 more
Published Jul 01, 2009
Tracked Since Feb 18, 2026