Heap Buffer Overflow in Adobe Acrobat/Reader (CVE-2009-3459) — Crafted PDF May Allow Remote Code Execution
A vulnerability in Adobe Acrobat and Reader (CVE-2009-3459) allows a crafted PDF to corrupt memory and potentially let a remote attacker run arbitrary code when the file is opened. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2026-05-20.
Key facts
- CVE IDCVE-2009-3459
- CVSS base score8.8 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Affected (vendor / product)Adobe Acrobat and Reader
- CWECWE-119
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-03 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Opening a crafted PDF can corrupt memory and may let a remote attacker execute arbitrary code (CVE-2009-3459).
- Exploitation requires the user to open the file (UI:R in CVSS); routinely opened PDFs can be the entry point.
- Official NVD CVSS is 8.8 (HIGH; CVSS:3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
- CISA added it to the KEV catalog on 2026-05-20, with a remediation due date of 2026-06-03.
- A 2009-era flaw entering KEV in 2026 shows that leaving old versions in place can still pose risk.
This vulnerability stems from how Adobe Acrobat and Reader handle memory when processing PDFs. A heap-based buffer overflow occurs when more data than a memory region is meant to hold gets written into it, corrupting internal data structures and creating room for attacker-supplied code to run. CISA's record states that a crafted PDF file induces memory corruption and may allow a remote attacker to execute arbitrary code. The attack requires the user to open the file (reflected as UI:R, meaning user interaction is needed, in the CVSS metrics), so everyday actions such as opening an email attachment or a downloaded document can serve as the entry point.
PDF is one of the most commonly opened document formats in both work and personal contexts, making this a textbook case of a document file itself becoming the attack vector. The official NVD CVSS score (a common standard for quantifying severity) is 8.8 (HIGH; CVSS:3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), a band reflecting high potential impact to confidentiality, integrity, and availability. Although this was originally disclosed back in 2009, its addition to the KEV catalog in May 2026 illustrates how continuing to run unsupported, outdated versions can still translate into real-world exposure.
The basic way to address this is to check the version of Acrobat/Reader in use and update to a supported release following Adobe's guidance. Under Binding Operational Directive (BOD) 22-01, CISA directs federal agencies to apply mitigations per vendor instructions, and to discontinue use of the product if mitigations cannot be applied. The remediation due date is set to 2026-06-03.
Why it matters
Because PDF is a standard business document format, this vulnerability has broad reach: many endpoints can be targeted through attachments and shared documents. Successful arbitrary code execution could lead to data exposure or tampering and operational disruption, and CISA's KEV listing (remediation due 2026-06-03) makes remediation mandatory for federal agencies. For organizations, the practical focus is inventorying Adobe Acrobat/Reader versions, updating to current releases, and setting rules for handling PDFs from unknown sources.
FAQ
How can I tell whether I am affected?
Am I safe if I simply do not open PDFs?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).