CVE-2009-3459

What is Adobe Reader and Acrobat?

Adobe Reader (the free PDF viewer) and Adobe Acrobat (the full PDF creation/editing suite) are the historically dominant tools for PDF file handling on Windows, macOS, and Linux. PDF files are a ubiquitous document format used in business, government, and personal communications — making Adobe Reader one of the most widely installed applications in enterprise environments. Because PDFs support complex embedded content (JavaScript, forms, multimedia, 3D content, and font rendering), Adobe Reader's parsing engine has historically been a high-value target for exploitation via malicious document delivery. In the 2008–2012 era, malicious PDFs were one of the primary vehicles for targeted malware delivery, particularly in spear-phishing campaigns against government, defense, and financial sector organizations.

Overview

CVE-2009-3459 is a heap-based buffer overflow in Adobe Reader and Acrobat triggered by processing a specially crafted PDF file. An attacker can embed malformed content within a PDF that overflows a heap buffer during parsing, leading to memory corruption and arbitrary code execution in the context of the user running the application. Adobe released APSB09-15 as an emergency out-of-band patch on October 8, 2009, confirming that the vulnerability was being actively exploited in the wild at the time of the patch. CISA published an alert the same week. CISA added CVE-2009-3459 to KEV in May 2026, 17 years after the patch.

Affected Versions

Note: All of these versions are now many generations out of date and no longer supported by Adobe.

Technical Details

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Adobe Reader and Acrobat's PDF parsing engine contains a heap buffer overflow in its handling of a specific PDF element or embedded content type. When parsing a crafted PDF with a malformed structure, the parser allocates a heap buffer of an incorrect size and then writes data beyond the buffer's end, corrupting adjacent heap metadata and object data.

By carefully shaping the heap layout (heap spraying), an attacker can reliably place shellcode or a controlled value at a known heap address that gets overwritten during the overflow, redirecting execution. In 2009, heap spray techniques using JavaScript embedded within PDF files were well-established and widely used in exploit kits targeting Adobe Reader. The resulting code execution runs in the context of the user running Adobe Reader — typically a standard domain user, giving the attacker immediate foothold on the endpoint.

Discovery

Adobe acknowledged active exploitation in the wild at the time of the APSB09-15 emergency patch release on October 8, 2009. The emergency out-of-band timing (not part of Adobe's regular quarterly patch cycle) indicates that active exploitation of CVE-2009-3459 was confirmed before Adobe completed its standard patch development timeline.

Exploitation Context

CVE-2009-3459 was actively exploited through malicious PDF documents at the time of the patch. Adobe Reader was a primary malware delivery vector throughout the 2008–2012 period — exploit kits routinely included Adobe Reader exploits alongside browser and Java exploits, and targeted attackers favored malicious PDF spear-phishing as a reliable initial access technique against enterprise targets.

The 2009 threat landscape saw heavy use of malicious PDFs by Chinese APT groups (targeting defense contractors and government agencies), Eastern European cybercriminals (targeting financial institutions), and generic crimeware exploit kits. Adobe Reader's ubiquity and the complexity of its PDF parsing made it a persistent high-value target.

CISA's May 2026 KEV addition indicates active exploitation of unpatched legacy Adobe Reader installations is still being observed — likely against organizations that have not updated extremely old systems or embedded deployments that retain outdated Adobe Reader versions.

Remediation

1. Update Adobe Reader and Acrobat immediately — the fix has been available since October 2009. Any Reader/Acrobat installation updated since 2009 is not vulnerable to CVE-2009-3459, though it may be vulnerable to many subsequent PDF vulnerabilities patched in the years since.
2. Replace legacy Adobe Reader versions — organizations running Reader 7.x, 8.x, or 9.x should upgrade to the current supported version of Adobe Acrobat Reader DC.
3. Enable Protected Mode / Protected View in modern Adobe Reader — these sandboxing features (introduced in Reader X / version 10) significantly reduce the impact of PDF-based exploits even if a parsing vulnerability is triggered.
4. Consider alternative PDF viewers for high-risk environments — where Adobe Reader is not required, lightweight PDF viewers with smaller attack surfaces reduce risk.
5. Block or sandbox PDF opening via email clients and web browsers for high-risk users.