CVE-2009-4324

HIGH KEV

Adobe Reader/Acrobat <9.3-8.2 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-4324 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022. EIP tracks 5 public exploits from researchers including Metasploit, Ahmed Obied, unknown, hdm, pusscat, jduck, jabra, including a Metasploit module exploits/windows/browser/adobe_media_newplayer.

AI-analyzed exploit summary This exploit leverages a use-after-free vulnerability in Adobe Reader and Acrobat Professional up to version 9.2. It uses JavaScript heap spraying to achieve remote code execution via a maliciously crafted PDF file.

Description

Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16623

This exploit leverages a use-after-free vulnerability in Adobe Reader and Acrobat Professional up to version 9.2. It uses JavaScript heap spraying to achieve remote code execution via a maliciously crafted PDF file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional up to 9.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16503

This exploit leverages a use-after-free vulnerability in Adobe Reader and Acrobat Professional up to version 9.2. It employs JavaScript heap spraying and a malformed PDF to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Acrobat Professional up to 9.2
No auth needed
Prerequisites: Target must open a malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ahmed Obied · pythonlocalwindows
https://www.exploit-db.com/exploits/10618

This Python script generates a malicious PDF file exploiting CVE-2009-4324 in Adobe Reader/Acrobat. It uses a heap spray technique and a JavaScript payload to trigger a vulnerability in the `newPlayer` function, executing arbitrary code (calc.exe).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Acrobat 9.2.0
No auth needed
Prerequisites: Target must open the generated PDF file · Adobe Reader/Acrobat 9.2.0 or vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by unknown, hdm, pusscat, jduck, jabra · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/adobe_media_newplayer.rb

This Metasploit module exploits a use-after-free vulnerability in Adobe Reader and Acrobat Professional up to version 9.2 via a crafted PDF file containing malicious JavaScript. The exploit uses heap spraying and a JavaScript payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Acrobat Professional up to 9.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by unknown, hdm, pusscat, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/adobe_media_newplayer.rb

This Metasploit module exploits a use-after-free vulnerability in Adobe Reader and Acrobat Professional (up to version 9.2) via a crafted PDF file containing malicious JavaScript. The exploit uses heap spraying and a JavaScript payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Reader and Adobe Acrobat Professional up to and including 9.2
No auth needed
Prerequisites: Victim must open the malicious PDF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (22)

Core 22
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37331
Broken Link, Vendor Advisory x_refsource_misc
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37690
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38138
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=547799
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/60980
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/508357
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54747
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3518
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0060.html
Exploit, Third Party Advisory x_refsource_misc
http://contagiodump.blogspot.com/2009/12/virustotal-httpwww.html
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0103
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38215
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-013A.html

Scores

CVSS v3 7.8
EPSS 0.9286
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-06-08
VulnCheck KEV 2009-12-15
InTheWild.io 2018-10-30
ENISA EUVD EUVD-2009-4292
CWE
CWE-416
Status published
Products (6)
adobe/acrobat 8.0 - 8.2
adobe/acrobat_reader 8.0 - 8.2
opensuse/opensuse 11.1
opensuse/opensuse 11.2
suse/linux_enterprise 10.0 sp2 (2 CPE variants)
suse/linux_enterprise_debuginfo 11
Published Dec 15, 2009
KEV Added Jun 08, 2022
Tracked Since Feb 18, 2026