Vulnerability intelligence

CVE-2009-1537

Microsoft DirectX NULL Byte Overwrite Vulnerability

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."

CVSS Score

8.8

High

EPSS — Exploit Probability

53%

Riskier than 98% of all CVEs

Exploitation

Confirmed in the wild

Used in ransomware campaigns

Remediation

Patch available

Federal deadline 2026-06-03

CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-06-03.

NVD entry Vendor patch PoC / advisory CISA KEV

4 articles across 3 outlets · first covered May 20, 2026 · latest May 21, 2026

Coverage timeline

CISA Adds Critical Flaws in Windows, Office, Defender to KEV List
securityaffairs.com · May 21, 2026
CISA logs CVE-2009-1537 DirectX flaw in KEV catalog
www.cisa.gov · May 20, 2026
CISA Adds 2009 DirectX Flaw to KEV After QuickTime Exploit
cisa.gov · May 20, 2026
CISA adds seven KEV flaws, including 2026 Microsoft Defender bugs
www.cisa.gov · May 20, 2026

Related CVEs — Microsoft

CVE-2026-41091KEV CVE-2008-4250KEV CVE-2010-0249KEV CVE-2010-0806KEV CVE-2026-45498KEV CVE-2026-33825KEV CVE-2026-42897KEV CVE-2025-62221KEV