CVE-2009-1490

Sendmail < 8.13.2 - Heap-Based Buffer Overflow via Long X- Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1490. PoCs published by Simple Nomad.

AI-analyzed exploit summary This exploit demonstrates a heap-based buffer overflow in Sendmail by sending a maliciously crafted email with an overly long header. The vulnerability allows arbitrary code execution with the privileges of the Sendmail process.

Description

Heap-based buffer overflow in Sendmail before 8.13.2 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a long X- header, as demonstrated by an X-Testing header.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Simple Nomad · textdoslinux
https://www.exploit-db.com/exploits/32995

This exploit demonstrates a heap-based buffer overflow in Sendmail by sending a maliciously crafted email with an overly long header. The vulnerability allows arbitrary code execution with the privileges of the Sendmail process.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Sendmail versions prior to 8.13.2
No auth needed
Prerequisites: Network access to the Sendmail service (port 25) · Ability to send crafted email headers
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www.sendmail.org/releases/8.13.2
Various Sources x_refsource_misc
http://www.nmrc.org/~thegnome/blog/apr09/
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/50355

Scores

EPSS 0.0779
EPSS Percentile 92.1%

Details

CWE
CWE-119
Status published
Products (41)
sendmail/sendmail 2.6 (2 CPE variants)
sendmail/sendmail 2.6.1 (2 CPE variants)
sendmail/sendmail 2.6.2
sendmail/sendmail 3.0 (2 CPE variants)
sendmail/sendmail 3.0.1 (2 CPE variants)
sendmail/sendmail 3.0.2 (2 CPE variants)
sendmail/sendmail 3.0.3
sendmail/sendmail 4.1
sendmail/sendmail 4.55
sendmail/sendmail 5
... and 31 more
Published May 05, 2009
Tracked Since Feb 18, 2026