Back
CVE-2009-4324
HIGH
CISA KEV
Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
Published: Dec 15, 2009
Modified: Apr 21, 2026
CWE-416
CWE-416
CVSS Metrics
CVSSv3
Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products (9)
| Vendor | Product | Version |
|---|---|---|
| adobe | acrobat | * ≥ 8.0 < 8.2 |
| adobe | acrobat | * ≥ 9.0 < 9.3 |
| adobe | acrobat_reader | * ≥ 8.0 < 8.2 |
| adobe | acrobat_reader | * ≥ 9.0 < 9.3 |
| suse | linux_enterprise_debuginfo | 11 |
| opensuse | opensuse | 11.1 |
| opensuse | opensuse | 11.2 |
| suse | linux_enterprise | 10.0 |
| suse | linux_enterprise | 10.0 |
GitHub Security Advisory GHSA-rv25-qx26-27xv
Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader...
References (43)
- http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html Broken Link, Vendor Advisory
- http://contagiodump.blogspot.com/2009/12/virustotal-httpwww.html Exploit, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html Mailing List, Third Party Advisory
- http://osvdb.org/60980 Broken Link
- http://secunia.com/advisories/37690 Broken Link, Vendor Advisory
- http://secunia.com/advisories/38138 Broken Link, Vendor Advisory
- http://secunia.com/advisories/38215 Broken Link, Vendor Advisory
- http://www.adobe.com/support/security/advisories/apsa09-07.html Vendor Advisory
- http://www.adobe.com/support/security/bulletins/apsb10-02.html Not Applicable
- http://www.kb.cert.org/vuls/id/508357 Third Party Advisory, US Government Resource
- http://www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb Broken Link
- http://www.redhat.com/support/errata/RHSA-2010-0060.html Broken Link
- http://www.securityfocus.com/bid/37331 Broken Link, Third Party Advisory, VDB Entry
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214 Broken Link
- http://www.symantec.com/connect/blogs/zero-day-xmas-present Broken Link
Risk Scores
CVSS Score
7.8 / 10
EPSS Score
92.86%
Top 0% most likely to be exploited
Threat Score
89.1 / 100
CISA Known Exploited
Date Added:
2022-06-08
Due Date:
2022-06-22
Required Action:
Apply updates per vendor instructions.
Data Sources
NVD
CISA KEV
EPSS
GitHub