CVE-2009-0583

Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.

Published: 2009-03-23 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-0583 is rated High Risk (69.5/100): CVSS Critical severity, with high exploitation likelihood (EPSS 4.71%, 91th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-0583

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 4.08% 4.71% +0.63%
2 2026-06-13 4.57% 4.08% -0.49%
3 2026-03-11 4.57%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-0583

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2009-0583

OS Trackers for CVE-2009-0583

vendor priority summary link
debian medium CVE-2009-0583 medium priority: Debian including 2 source packages (argyll, ghostscript), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. https://security-tracker.debian.org/tracker/CVE-2009-0583
gentoo normal CVE-2009-0583: 1 GLSA(s) (200903-37), 3 atom(s) (app-text/ghostscript-esp, app-text/ghostscript-gnu, app-text/ghostscript-gpl); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-0583
redhat medium https://access.redhat.com/security/cve/CVE-2009-0583
ubuntu medium CVE-2009-0583 medium priority: Ubuntu including 2 source packages (ghostscript, gs-gpl), 10 status rows across 5 suites (dapper, gutsy, hardy, intrepid, upstream): DNE 4, released 4, needs-triage 2. https://ubuntu.com/security/CVE-2009-0583

Affected software / configurations for CVE-2009-0583

Vendor Product Version Raw CPE
ghostscript ghostscript <= 8.64 cpe:2.3:a:ghostscript:ghostscript:*:*:*:*:*:*:*:*
ghostscript ghostscript 5.50 cpe:2.3:a:ghostscript:ghostscript:5.50:*:*:*:*:*:*:*
ghostscript ghostscript 7.05 cpe:2.3:a:ghostscript:ghostscript:7.05:*:*:*:*:*:*:*
ghostscript ghostscript 7.07 cpe:2.3:a:ghostscript:ghostscript:7.07:*:*:*:*:*:*:*
ghostscript ghostscript 8.0.1 cpe:2.3:a:ghostscript:ghostscript:8.0.1:*:*:*:*:*:*:*
ghostscript ghostscript 8.15 cpe:2.3:a:ghostscript:ghostscript:8.15:*:*:*:*:*:*:*
ghostscript ghostscript 8.15.2 cpe:2.3:a:ghostscript:ghostscript:8.15.2:*:*:*:*:*:*:*
ghostscript ghostscript 8.54 cpe:2.3:a:ghostscript:ghostscript:8.54:*:*:*:*:*:*:*
ghostscript ghostscript 8.56 cpe:2.3:a:ghostscript:ghostscript:8.56:*:*:*:*:*:*:*
ghostscript ghostscript 8.57 cpe:2.3:a:ghostscript:ghostscript:8.57:*:*:*:*:*:*:*
ghostscript ghostscript 8.61 cpe:2.3:a:ghostscript:ghostscript:8.61:*:*:*:*:*:*:*
ghostscript ghostscript 8.62 cpe:2.3:a:ghostscript:ghostscript:8.62:*:*:*:*:*:*:*
ghostscript ghostscript 8.63 cpe:2.3:a:ghostscript:ghostscript:8.63:*:*:*:*:*:*:*
argyllcms argyllcms <= 1.0.3 cpe:2.3:a:argyllcms:argyllcms:*:*:*:*:*:*:*:*
argyllcms argyllcms 0.1.0 cpe:2.3:a:argyllcms:argyllcms:0.1.0:*:*:*:*:*:*:*
argyllcms argyllcms 0.2.0 cpe:2.3:a:argyllcms:argyllcms:0.2.0:*:*:*:*:*:*:*
argyllcms argyllcms 0.2.1 cpe:2.3:a:argyllcms:argyllcms:0.2.1:*:*:*:*:*:*:*
argyllcms argyllcms 0.2.2 cpe:2.3:a:argyllcms:argyllcms:0.2.2:*:*:*:*:*:*:*
argyllcms argyllcms 0.3.0 cpe:2.3:a:argyllcms:argyllcms:0.3.0:*:*:*:*:*:*:*
argyllcms argyllcms 0.6.0 cpe:2.3:a:argyllcms:argyllcms:0.6.0:*:*:*:*:*:*:*
argyllcms argyllcms 0.7.0 cpe:2.3:a:argyllcms:argyllcms:0.7.0:beta_8:*:*:*:*:*:*
argyllcms argyllcms 1.0.0 cpe:2.3:a:argyllcms:argyllcms:1.0.0:*:*:*:*:*:*:*
argyllcms argyllcms 1.0.2 cpe:2.3:a:argyllcms:argyllcms:1.0.2:*:*:*:*:*:*:*

References for CVE-2009-0583

URL Tags
http://bugs.gentoo.org/show_bug.cgi?id=261087
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://secunia.com/advisories/34266 Vendor Advisory
http://secunia.com/advisories/34373 Vendor Advisory
http://secunia.com/advisories/34381 Vendor Advisory
http://secunia.com/advisories/34393 Vendor Advisory
http://secunia.com/advisories/34398 Vendor Advisory
http://secunia.com/advisories/34418 Vendor Advisory
http://secunia.com/advisories/34437 Vendor Advisory
http://secunia.com/advisories/34443 Vendor Advisory
http://secunia.com/advisories/34469 Vendor Advisory
http://secunia.com/advisories/34729
http://secunia.com/advisories/35559
http://secunia.com/advisories/35569
http://securitytracker.com/id?1021868
http://sunsolve.sun.com/search/document.do?assetkey=1-26-262288-1
http://support.avaya.com/elmodocs2/security/ASA-2009-098.htm
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050 Vendor Advisory
http://www.auscert.org.au/render.html?it=10666 US Government Resource
http://www.debian.org/security/2009/dsa-1746 Vendor Advisory
http://www.gentoo.org/security/en/glsa/glsa-200903-37.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2009:095
http://www.mandriva.com/security/advisories?name=MDVSA-2009:096
http://www.redhat.com/support/errata/RHSA-2009-0345.html Vendor Advisory
http://www.securityfocus.com/archive/1/501994/100/0/threaded
http://www.securityfocus.com/bid/34184
http://www.ubuntu.com/usn/USN-743-1
http://www.vupen.com/english/advisories/2009/0776 Vendor Advisory
http://www.vupen.com/english/advisories/2009/0777 Vendor Advisory
http://www.vupen.com/english/advisories/2009/0816 Vendor Advisory
http://www.vupen.com/english/advisories/2009/1708
https://bugzilla.redhat.com/show_bug.cgi?id=487742 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/49329
https://issues.rpath.com/browse/RPL-2991
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10795
https://usn.ubuntu.com/757-1/
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00770.html Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00772.html Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00887.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00916.html
cvelogic Threat Intelligence