ON 20 May 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2009‑3459 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Adobe Acrobat and Reader and is identified as the Adobe Acrobat and Reader Heap‑Based Buffer Overflow Vulnerability. In short, a heap‑based buffer overflow in the software can be triggered by a malicious PDF file, allowing remote code execution.
The vulnerability is a heap‑based buffer overflow that can lead to arbitrary code execution when a user opens a specially crafted PDF. Attackers can exploit it remotely via the file‑opening vector. The Common Vulnerability Scoring System assigns it a score of 8.8, rating it as HIGH severity. A patch has been released by Adobe. Exploitation requires a user to open a malicious PDF file; no authentication or special privileges are needed.
CISA’s inclusion in the KEV catalogue confirms that active exploitation of CVE‑2009‑3459 has been observed in the wild. No public reports link this flaw to ransomware campaigns at present. Federal agencies must apply the required mitigations by the CISA‑set deadline of 3 June 2026. The KEV entry serves as a signal to prioritise remediation across affected systems.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations are advised to review their Adobe Acrobat and Reader installations and apply the available patch or equivalent mitigations.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2009-3459 and the CISA KEV catalogue.