CVE-2009-3867

EXPLOITED

Sun Java JRE getSoundbank file:// URI Buffer Overflow

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2009-3867 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Tometzky, kf, jduck, including a Metasploit module exploits/multi/browser/java_getsoundbank_bof.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the Sun Java JRE getSoundbank function via a malicious applet. It delivers a serialized payload through PARAM tags and targets multiple platforms.

Description

Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a long file: URL in an argument, aka Bug Id 6854303.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/16294

This Metasploit module exploits a buffer overflow in the Sun Java JRE getSoundbank function via a malicious applet. It delivers a serialized payload through PARAM tags and targets multiple platforms.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Java JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, SDK and JRE 1.3.1_26 and earlier
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java applet must be allowed to run
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tometzky · javaremotemultiple
https://www.exploit-db.com/exploits/33316

This exploit leverages a heap spray technique combined with a stack overflow in Java's MIDI soundbank handling to achieve arbitrary code execution. It targets a vulnerability in Java SE versions prior to the updates released in 2009.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Java SE (JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, SDK and JRE 1.3.1_26 and earlier)
No auth needed
Prerequisites: Victim must run a vulnerable version of Java SE · Victim must visit a malicious webpage hosting the exploit applet
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tometzky · javaremotelinux
https://www.exploit-db.com/exploits/33315

This exploit targets a vulnerability in Java SE's MIDI system to achieve arbitrary code execution by crafting a malicious file path with a buffer overflow. It checks the OS and constructs a path with repeated slashes followed by a controlled payload to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java SE (JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, SDK and JRE 1.3.1_26 and earlier)
No auth needed
Prerequisites: Victim must run the malicious applet · Java SE with vulnerable MIDI system components
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by kf, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_getsoundbank_bof.rb

This Metasploit module exploits a buffer overflow in the getSoundbank function in Sun Java JRE versions 6 Update 16 and earlier, 5.0 Update 21 and earlier, 1.4.2_23 and earlier, and 1.3.1_26 and earlier. It delivers a serialized payload via an applet to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Java JRE (versions 6u16 and earlier, 5.0u21 and earlier, 1.4.2_23 and earlier, 1.3.1_26 and earlier)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java applet must be allowed to run in the victim's browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200911-02.xml
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=126566824131534&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36881
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6746
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT3970
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=134254866602253&w=2
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT3969
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=131593453929393&w=2
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1694.html
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37231
Vendor Advisory vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023132
Patch, Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3131
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37581
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11903
Vendor Advisory x_refsource_confirm
http://java.sun.com/javase/6/webnotes/6u17.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37841
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37239
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7750
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37386

Scores

EPSS 0.7338
EPSS Percentile 99.4%

Details

VulnCheck KEV 2010-05-01
CWE
CWE-119
Status published
Products (3)
sun/jdk 1.5.0 update_1 (21 CPE variants)
sun/jdk 1.6.0 update_1 (16 CPE variants)
sun/jre 1.5.0 update_1 (13 CPE variants)
Published Nov 05, 2009
Tracked Since Feb 18, 2026