CVE-2009-3953

HIGH KEV

Adobe Reader/Acrobat <9.3 - RCE

Title source: llm

Description

The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.

Exploits (2)

metasploit WORKING POC GOOD

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/16622

View Code ZIP pw:eip

References (15)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html

[Broken Link] http://osvdb.org/61690

[Broken Link] http://secunia.com/advisories/38138

[Broken Link] http://secunia.com/advisories/38215

[Not Applicable, Patch, Vendor Advisory] http://www.adobe.com/support/security/bulletins/apsb10-02.html

[Third Party Advisory] http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_u3d_meshdecl

[Broken Link] http://www.redhat.com/support/errata/RHSA-2010-0060.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/37758

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1023446

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA10-013A.html

[Broken Link, Vendor Advisory] http://www.vupen.com/english/advisories/2010/0103

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=554293

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/55551

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8242

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-3953

Scores

CVSS v3 8.8

EPSS 0.9051

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2022-06-08

VulnCheck KEV 2016-09-29

InTheWild.io 2019-01-01

ENISA EUVD EUVD-2009-3924

Classification

CWE

CWE-787

Status draft

Affected Products (6)

adobe/acrobat < 7.1.4

suse/linux_enterprise_debuginfo

opensuse/opensuse

opensuse/opensuse

suse/linux_enterprise

suse/linux_enterprise

Timeline

Published Jan 13, 2010

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026