CVE-2009-0799 [Medium] | Memory Corruption in Xpdf

The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-06	0.66%	0.97%	+0.31%
2	2025-11-09	0.60%	0.66%	+0.06%
3	2025-11-04	—	0.60%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-06

0.66%

0.97%

+0.31%

2025-11-09

0.60%

0.66%

+0.06%

2025-11-04

—

0.60%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

2.9

[email protected]

OS Trackers for CVE-2009-0799

vendor	priority	summary	link
`debian`	medium	CVE-2009-0799 medium priority: Debian including 2 source packages (poppler, xpdf), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2009-0799
`gentoo`	normal	CVE-2009-0799: 1 GLSA(s) (201310-03), 1 atom(s) (app-text/poppler); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-0799
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2009-0799
`suse`	medium	CVE-2009-0799 severity moderate: SUSE including 90 source package names (libpoppler-cpp0-0.43.0-15.1, libpoppler-cpp0-0.43.0-16.15.1, …), 157 product×package rows across 33 product lines (SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Desktop 12 SP1, … (33 product lines)): Fixed 157.	https://www.suse.com/security/cve/CVE-2009-0799/
`ubuntu`	medium	CVE-2009-0799 medium priority: Ubuntu including 14 source packages (cups, cupsys, …), 476 status rows across 34 suites (artful, bionic, cosmic, dapper, disco, eoan, focal, groovy, gutsy, hardy, hirsute, impish, intrepid, jammy, jaunty, karmic, kinetic, lucid, lunar, maverick, natty, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): DNE 216, not-affected 169, ignored 43 (5 distinct statuses).	https://ubuntu.com/security/CVE-2009-0799

Affected software / configurations for CVE-2009-0799

Vendor	Product	Version	Raw CPE
foolabs	xpdf	0.5a	cpe:2.3:a:foolabs:xpdf:0.5a:::::::*
foolabs	xpdf	0.7a	cpe:2.3:a:foolabs:xpdf:0.7a:::::::*
foolabs	xpdf	0.91a	cpe:2.3:a:foolabs:xpdf:0.91a:::::::*
foolabs	xpdf	0.91b	cpe:2.3:a:foolabs:xpdf:0.91b:::::::*
foolabs	xpdf	0.91c	cpe:2.3:a:foolabs:xpdf:0.91c:::::::*
foolabs	xpdf	0.92a	cpe:2.3:a:foolabs:xpdf:0.92a:::::::*
foolabs	xpdf	0.92b	cpe:2.3:a:foolabs:xpdf:0.92b:::::::*
foolabs	xpdf	0.92c	cpe:2.3:a:foolabs:xpdf:0.92c:::::::*
foolabs	xpdf	0.92d	cpe:2.3:a:foolabs:xpdf:0.92d:::::::*
foolabs	xpdf	0.92e	cpe:2.3:a:foolabs:xpdf:0.92e:::::::*
foolabs	xpdf	0.93a	cpe:2.3:a:foolabs:xpdf:0.93a:::::::*
foolabs	xpdf	0.93b	cpe:2.3:a:foolabs:xpdf:0.93b:::::::*
foolabs	xpdf	0.93c	cpe:2.3:a:foolabs:xpdf:0.93c:::::::*
foolabs	xpdf	1.00a	cpe:2.3:a:foolabs:xpdf:1.00a:::::::*
glyphandcog	xpdfreader	<= 3.02	cpe:2.3:a:glyphandcog:xpdfreader::::::::
glyphandcog	xpdfreader	0.2	cpe:2.3:a:glyphandcog:xpdfreader:0.2:::::::*
glyphandcog	xpdfreader	0.3	cpe:2.3:a:glyphandcog:xpdfreader:0.3:::::::*
glyphandcog	xpdfreader	0.4	cpe:2.3:a:glyphandcog:xpdfreader:0.4:::::::*
glyphandcog	xpdfreader	0.5	cpe:2.3:a:glyphandcog:xpdfreader:0.5:::::::*
glyphandcog	xpdfreader	0.6	cpe:2.3:a:glyphandcog:xpdfreader:0.6:::::::*
glyphandcog	xpdfreader	0.7	cpe:2.3:a:glyphandcog:xpdfreader:0.7:::::::*
glyphandcog	xpdfreader	0.80	cpe:2.3:a:glyphandcog:xpdfreader:0.80:::::::*
glyphandcog	xpdfreader	0.90	cpe:2.3:a:glyphandcog:xpdfreader:0.90:::::::*
glyphandcog	xpdfreader	0.91	cpe:2.3:a:glyphandcog:xpdfreader:0.91:::::::*
glyphandcog	xpdfreader	0.92	cpe:2.3:a:glyphandcog:xpdfreader:0.92:::::::*
glyphandcog	xpdfreader	0.93	cpe:2.3:a:glyphandcog:xpdfreader:0.93:::::::*
glyphandcog	xpdfreader	1.00	cpe:2.3:a:glyphandcog:xpdfreader:1.00:::::::*
glyphandcog	xpdfreader	1.01	cpe:2.3:a:glyphandcog:xpdfreader:1.01:::::::*
glyphandcog	xpdfreader	2.00	cpe:2.3:a:glyphandcog:xpdfreader:2.00:::::::*
glyphandcog	xpdfreader	2.01	cpe:2.3:a:glyphandcog:xpdfreader:2.01:::::::*
glyphandcog	xpdfreader	2.02	cpe:2.3:a:glyphandcog:xpdfreader:2.02:::::::*
glyphandcog	xpdfreader	2.03	cpe:2.3:a:glyphandcog:xpdfreader:2.03:::::::*
glyphandcog	xpdfreader	3.00	cpe:2.3:a:glyphandcog:xpdfreader:3.00:::::::*
glyphandcog	xpdfreader	3.01	cpe:2.3:a:glyphandcog:xpdfreader:3.01:::::::*
poppler	poppler	<= 0.10.5	cpe:2.3:a:poppler:poppler::::::::
poppler	poppler	0.1	cpe:2.3:a:poppler:poppler:0.1:::::::*
poppler	poppler	0.1.1	cpe:2.3:a:poppler:poppler:0.1.1:::::::*
poppler	poppler	0.1.2	cpe:2.3:a:poppler:poppler:0.1.2:::::::*
poppler	poppler	0.2.0	cpe:2.3:a:poppler:poppler:0.2.0:::::::*
poppler	poppler	0.3.0	cpe:2.3:a:poppler:poppler:0.3.0:::::::*
poppler	poppler	0.3.1	cpe:2.3:a:poppler:poppler:0.3.1:::::::*
poppler	poppler	0.3.2	cpe:2.3:a:poppler:poppler:0.3.2:::::::*
poppler	poppler	0.3.3	cpe:2.3:a:poppler:poppler:0.3.3:::::::*
poppler	poppler	0.4.0	cpe:2.3:a:poppler:poppler:0.4.0:::::::*
poppler	poppler	0.4.1	cpe:2.3:a:poppler:poppler:0.4.1:::::::*
poppler	poppler	0.4.2	cpe:2.3:a:poppler:poppler:0.4.2:::::::*
poppler	poppler	0.4.3	cpe:2.3:a:poppler:poppler:0.4.3:::::::*
poppler	poppler	0.4.4	cpe:2.3:a:poppler:poppler:0.4.4:::::::*
poppler	poppler	0.5.0	cpe:2.3:a:poppler:poppler:0.5.0:::::::*
poppler	poppler	0.5.1	cpe:2.3:a:poppler:poppler:0.5.1:::::::*
poppler	poppler	0.5.2	cpe:2.3:a:poppler:poppler:0.5.2:::::::*
poppler	poppler	0.5.3	cpe:2.3:a:poppler:poppler:0.5.3:::::::*
poppler	poppler	0.5.4	cpe:2.3:a:poppler:poppler:0.5.4:::::::*
poppler	poppler	0.5.9	cpe:2.3:a:poppler:poppler:0.5.9:::::::*
poppler	poppler	0.5.90	cpe:2.3:a:poppler:poppler:0.5.90:::::::*
poppler	poppler	0.5.91	cpe:2.3:a:poppler:poppler:0.5.91:::::::*
poppler	poppler	0.6.0	cpe:2.3:a:poppler:poppler:0.6.0:::::::*
poppler	poppler	0.6.1	cpe:2.3:a:poppler:poppler:0.6.1:::::::*
poppler	poppler	0.6.2	cpe:2.3:a:poppler:poppler:0.6.2:::::::*
poppler	poppler	0.6.3	cpe:2.3:a:poppler:poppler:0.6.3:::::::*
poppler	poppler	0.6.4	cpe:2.3:a:poppler:poppler:0.6.4:::::::*
poppler	poppler	0.7.0	cpe:2.3:a:poppler:poppler:0.7.0:::::::*
poppler	poppler	0.7.1	cpe:2.3:a:poppler:poppler:0.7.1:::::::*
poppler	poppler	0.7.2	cpe:2.3:a:poppler:poppler:0.7.2:::::::*
poppler	poppler	0.7.3	cpe:2.3:a:poppler:poppler:0.7.3:::::::*
poppler	poppler	0.8.0	cpe:2.3:a:poppler:poppler:0.8.0:::::::*
poppler	poppler	0.8.1	cpe:2.3:a:poppler:poppler:0.8.1:::::::*
poppler	poppler	0.8.2	cpe:2.3:a:poppler:poppler:0.8.2:::::::*
poppler	poppler	0.8.3	cpe:2.3:a:poppler:poppler:0.8.3:::::::*
poppler	poppler	0.8.4	cpe:2.3:a:poppler:poppler:0.8.4:::::::*
poppler	poppler	0.8.5	cpe:2.3:a:poppler:poppler:0.8.5:::::::*
poppler	poppler	0.8.6	cpe:2.3:a:poppler:poppler:0.8.6:::::::*
poppler	poppler	0.8.7	cpe:2.3:a:poppler:poppler:0.8.7:::::::*
poppler	poppler	0.9.0	cpe:2.3:a:poppler:poppler:0.9.0:::::::*
poppler	poppler	0.9.1	cpe:2.3:a:poppler:poppler:0.9.1:::::::*
poppler	poppler	0.9.2	cpe:2.3:a:poppler:poppler:0.9.2:::::::*
poppler	poppler	0.9.3	cpe:2.3:a:poppler:poppler:0.9.3:::::::*
poppler	poppler	0.10.0	cpe:2.3:a:poppler:poppler:0.10.0:::::::*
poppler	poppler	0.10.1	cpe:2.3:a:poppler:poppler:0.10.1:::::::*
poppler	poppler	0.10.2	cpe:2.3:a:poppler:poppler:0.10.2:::::::*

References for CVE-2009-0799

URL	Tags
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=495886
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
http://poppler.freedesktop.org/releases.html	Patch Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2009-0458.html
http://secunia.com/advisories/34291	Vendor Advisory
http://secunia.com/advisories/34481	Vendor Advisory
http://secunia.com/advisories/34746	Vendor Advisory
http://secunia.com/advisories/34755	Vendor Advisory
http://secunia.com/advisories/34756	Vendor Advisory
http://secunia.com/advisories/34852	Vendor Advisory
http://secunia.com/advisories/34959	Vendor Advisory
http://secunia.com/advisories/34963	Vendor Advisory
http://secunia.com/advisories/34991	Vendor Advisory
http://secunia.com/advisories/35037	Vendor Advisory
http://secunia.com/advisories/35064	Vendor Advisory
http://secunia.com/advisories/35065	Vendor Advisory
http://secunia.com/advisories/35618	Vendor Advisory
http://secunia.com/advisories/35685	Vendor Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.578477
http://www.debian.org/security/2009/dsa-1790	Patch
http://www.debian.org/security/2009/dsa-1793	Patch
http://www.kb.cert.org/vuls/id/196617	US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2009:101
http://www.mandriva.com/security/advisories?name=MDVSA-2010:087
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175
http://www.redhat.com/support/errata/RHSA-2009-0429.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0430.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0431.html	Patch
http://www.redhat.com/support/errata/RHSA-2009-0480.html	Patch
http://www.securityfocus.com/bid/34568	Patch
http://www.securitytracker.com/id?1022072
http://www.vupen.com/english/advisories/2009/1065	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1066	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1076	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1077	Vendor Advisory
http://www.vupen.com/english/advisories/2010/1040	Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10204
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00567.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01277.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01291.html

URL

CVE-2009-0799

Exploit prediction scoring system (EPSS) score for CVE-2009-0799

Common vulnerability scoring system (CVSS) metrics for CVE-2009-0799

Weakness enumeration for CVE-2009-0799

OS Trackers for CVE-2009-0799

Affected software / configurations for CVE-2009-0799

References for CVE-2009-0799