Back
CVE-2009-3953
HIGH
CISA KEV
The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.
Published: Jan 13, 2010
Modified: Apr 21, 2026
CWE-787
CWE-787
CVSS Metrics
CVSSv3
Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products (8)
| Vendor | Product | Version |
|---|---|---|
| adobe | acrobat | * ≥ 7.0 < 7.1.4 |
| adobe | acrobat | * ≥ 8.0 < 8.2 |
| adobe | acrobat | * ≥ 9.0 < 9.3 |
| suse | linux_enterprise_debuginfo | 11 |
| opensuse | opensuse | 11.1 |
| opensuse | opensuse | 11.2 |
| suse | linux_enterprise | 10.0 |
| suse | linux_enterprise | 10.0 |
GitHub Security Advisory GHSA-q4f6-24ph-r6rm
The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and...
References (29)
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html Mailing List, Third Party Advisory
- http://osvdb.org/61690 Broken Link
- http://secunia.com/advisories/38138 Broken Link
- http://secunia.com/advisories/38215 Broken Link
- http://www.adobe.com/support/security/bulletins/apsb10-02.html Not Applicable, Patch, Vendor Advisory
- http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_u3d_meshdecl Third Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0060.html Broken Link
- http://www.securityfocus.com/bid/37758 Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023446 Broken Link, Third Party Advisory, VDB Entry
- http://www.us-cert.gov/cas/techalerts/TA10-013A.html Third Party Advisory, US Government Resource
- http://www.vupen.com/english/advisories/2010/0103 Broken Link, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=554293 Issue Tracking
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55551 Third Party Advisory, VDB Entry
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8242 Broken Link
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html Mailing List, Third Party Advisory
Risk Scores
CVSS Score
8.8 / 10
EPSS Score
90.51%
Top 0% most likely to be exploited
Threat Score
92.4 / 100
CISA Known Exploited
Date Added:
2022-06-08
Due Date:
2022-06-22
Required Action:
Apply updates per vendor instructions.
Data Sources
NVD
CISA KEV
EPSS
GitHub