CVE-2009-1182

Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.

Published: 2009-04-23 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-1182 is rated Moderate Risk (62.4/100): CVSS High severity, with high exploitation likelihood (EPSS 7.10%, 91th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-1182

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-01-06 6.61% 7.10% +0.49%
2 2025-12-14 5.75% 6.61% +0.86%
3 2025-11-09 5.75%

Full EPSS history (25 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-1182

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2009-1182

OS Trackers for CVE-2009-1182

vendor priority summary link
debian medium CVE-2009-1182 medium priority: Debian including 2 source packages (poppler, xpdf), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. https://security-tracker.debian.org/tracker/CVE-2009-1182
gentoo normal CVE-2009-1182: 1 GLSA(s) (201310-03), 1 atom(s) (app-text/poppler); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-1182
redhat high https://access.redhat.com/security/cve/CVE-2009-1182
suse high CVE-2009-1182 severity important: SUSE including 90 source package names (libpoppler-cpp0-0.43.0-15.1, libpoppler-cpp0-0.43.0-16.15.1, …), 157 product×package rows across 33 product lines (SUSE Linux Enterprise Desktop 12, SUSE Linux Enterprise Desktop 12 SP1, … (33 product lines)): Fixed 157. https://www.suse.com/security/cve/CVE-2009-1182/
ubuntu medium CVE-2009-1182 medium priority: Ubuntu including 14 source packages (cups, cupsys, …), 476 status rows across 34 suites (artful, bionic, cosmic, dapper, disco, eoan, focal, groovy, gutsy, hardy, hirsute, impish, intrepid, jammy, jaunty, karmic, kinetic, lucid, lunar, maverick, natty, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): DNE 216, not-affected 171, ignored 42 (5 distinct statuses). https://ubuntu.com/security/CVE-2009-1182

Affected software / configurations for CVE-2009-1182

Vendor Product Version Raw CPE
foolabs xpdf 0.5a cpe:2.3:a:foolabs:xpdf:0.5a:*:*:*:*:*:*:*
foolabs xpdf 0.7a cpe:2.3:a:foolabs:xpdf:0.7a:*:*:*:*:*:*:*
foolabs xpdf 0.91a cpe:2.3:a:foolabs:xpdf:0.91a:*:*:*:*:*:*:*
foolabs xpdf 0.91b cpe:2.3:a:foolabs:xpdf:0.91b:*:*:*:*:*:*:*
foolabs xpdf 0.91c cpe:2.3:a:foolabs:xpdf:0.91c:*:*:*:*:*:*:*
foolabs xpdf 0.92a cpe:2.3:a:foolabs:xpdf:0.92a:*:*:*:*:*:*:*
foolabs xpdf 0.92b cpe:2.3:a:foolabs:xpdf:0.92b:*:*:*:*:*:*:*
foolabs xpdf 0.92c cpe:2.3:a:foolabs:xpdf:0.92c:*:*:*:*:*:*:*
foolabs xpdf 0.92d cpe:2.3:a:foolabs:xpdf:0.92d:*:*:*:*:*:*:*
foolabs xpdf 0.92e cpe:2.3:a:foolabs:xpdf:0.92e:*:*:*:*:*:*:*
foolabs xpdf 0.93a cpe:2.3:a:foolabs:xpdf:0.93a:*:*:*:*:*:*:*
foolabs xpdf 0.93b cpe:2.3:a:foolabs:xpdf:0.93b:*:*:*:*:*:*:*
foolabs xpdf 0.93c cpe:2.3:a:foolabs:xpdf:0.93c:*:*:*:*:*:*:*
foolabs xpdf 1.00a cpe:2.3:a:foolabs:xpdf:1.00a:*:*:*:*:*:*:*
glyphandcog xpdfreader <= 3.02 cpe:2.3:a:glyphandcog:xpdfreader:*:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.2 cpe:2.3:a:glyphandcog:xpdfreader:0.2:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.3 cpe:2.3:a:glyphandcog:xpdfreader:0.3:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.4 cpe:2.3:a:glyphandcog:xpdfreader:0.4:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.5 cpe:2.3:a:glyphandcog:xpdfreader:0.5:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.6 cpe:2.3:a:glyphandcog:xpdfreader:0.6:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.7 cpe:2.3:a:glyphandcog:xpdfreader:0.7:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.80 cpe:2.3:a:glyphandcog:xpdfreader:0.80:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.90 cpe:2.3:a:glyphandcog:xpdfreader:0.90:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.91 cpe:2.3:a:glyphandcog:xpdfreader:0.91:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.92 cpe:2.3:a:glyphandcog:xpdfreader:0.92:*:*:*:*:*:*:*
glyphandcog xpdfreader 0.93 cpe:2.3:a:glyphandcog:xpdfreader:0.93:*:*:*:*:*:*:*
glyphandcog xpdfreader 1.00 cpe:2.3:a:glyphandcog:xpdfreader:1.00:*:*:*:*:*:*:*
glyphandcog xpdfreader 1.01 cpe:2.3:a:glyphandcog:xpdfreader:1.01:*:*:*:*:*:*:*
glyphandcog xpdfreader 2.00 cpe:2.3:a:glyphandcog:xpdfreader:2.00:*:*:*:*:*:*:*
glyphandcog xpdfreader 2.01 cpe:2.3:a:glyphandcog:xpdfreader:2.01:*:*:*:*:*:*:*
glyphandcog xpdfreader 2.02 cpe:2.3:a:glyphandcog:xpdfreader:2.02:*:*:*:*:*:*:*
glyphandcog xpdfreader 2.03 cpe:2.3:a:glyphandcog:xpdfreader:2.03:*:*:*:*:*:*:*
glyphandcog xpdfreader 3.00 cpe:2.3:a:glyphandcog:xpdfreader:3.00:*:*:*:*:*:*:*
glyphandcog xpdfreader 3.01 cpe:2.3:a:glyphandcog:xpdfreader:3.01:*:*:*:*:*:*:*
poppler poppler <= 0.10.5 cpe:2.3:a:poppler:poppler:*:*:*:*:*:*:*:*
poppler poppler 0.1 cpe:2.3:a:poppler:poppler:0.1:*:*:*:*:*:*:*
poppler poppler 0.1.1 cpe:2.3:a:poppler:poppler:0.1.1:*:*:*:*:*:*:*
poppler poppler 0.1.2 cpe:2.3:a:poppler:poppler:0.1.2:*:*:*:*:*:*:*
poppler poppler 0.2.0 cpe:2.3:a:poppler:poppler:0.2.0:*:*:*:*:*:*:*
poppler poppler 0.3.0 cpe:2.3:a:poppler:poppler:0.3.0:*:*:*:*:*:*:*
poppler poppler 0.3.1 cpe:2.3:a:poppler:poppler:0.3.1:*:*:*:*:*:*:*
poppler poppler 0.3.2 cpe:2.3:a:poppler:poppler:0.3.2:*:*:*:*:*:*:*
poppler poppler 0.3.3 cpe:2.3:a:poppler:poppler:0.3.3:*:*:*:*:*:*:*
poppler poppler 0.4.0 cpe:2.3:a:poppler:poppler:0.4.0:*:*:*:*:*:*:*
poppler poppler 0.4.1 cpe:2.3:a:poppler:poppler:0.4.1:*:*:*:*:*:*:*
poppler poppler 0.4.2 cpe:2.3:a:poppler:poppler:0.4.2:*:*:*:*:*:*:*
poppler poppler 0.4.3 cpe:2.3:a:poppler:poppler:0.4.3:*:*:*:*:*:*:*
poppler poppler 0.4.4 cpe:2.3:a:poppler:poppler:0.4.4:*:*:*:*:*:*:*
poppler poppler 0.5.0 cpe:2.3:a:poppler:poppler:0.5.0:*:*:*:*:*:*:*
poppler poppler 0.5.1 cpe:2.3:a:poppler:poppler:0.5.1:*:*:*:*:*:*:*
poppler poppler 0.5.2 cpe:2.3:a:poppler:poppler:0.5.2:*:*:*:*:*:*:*
poppler poppler 0.5.3 cpe:2.3:a:poppler:poppler:0.5.3:*:*:*:*:*:*:*
poppler poppler 0.5.4 cpe:2.3:a:poppler:poppler:0.5.4:*:*:*:*:*:*:*
poppler poppler 0.5.9 cpe:2.3:a:poppler:poppler:0.5.9:*:*:*:*:*:*:*
poppler poppler 0.5.90 cpe:2.3:a:poppler:poppler:0.5.90:*:*:*:*:*:*:*
poppler poppler 0.5.91 cpe:2.3:a:poppler:poppler:0.5.91:*:*:*:*:*:*:*
poppler poppler 0.6.0 cpe:2.3:a:poppler:poppler:0.6.0:*:*:*:*:*:*:*
poppler poppler 0.6.1 cpe:2.3:a:poppler:poppler:0.6.1:*:*:*:*:*:*:*
poppler poppler 0.6.2 cpe:2.3:a:poppler:poppler:0.6.2:*:*:*:*:*:*:*
poppler poppler 0.6.3 cpe:2.3:a:poppler:poppler:0.6.3:*:*:*:*:*:*:*
poppler poppler 0.6.4 cpe:2.3:a:poppler:poppler:0.6.4:*:*:*:*:*:*:*
poppler poppler 0.7.0 cpe:2.3:a:poppler:poppler:0.7.0:*:*:*:*:*:*:*
poppler poppler 0.7.1 cpe:2.3:a:poppler:poppler:0.7.1:*:*:*:*:*:*:*
poppler poppler 0.7.2 cpe:2.3:a:poppler:poppler:0.7.2:*:*:*:*:*:*:*
poppler poppler 0.7.3 cpe:2.3:a:poppler:poppler:0.7.3:*:*:*:*:*:*:*
poppler poppler 0.8.0 cpe:2.3:a:poppler:poppler:0.8.0:*:*:*:*:*:*:*
poppler poppler 0.8.1 cpe:2.3:a:poppler:poppler:0.8.1:*:*:*:*:*:*:*
poppler poppler 0.8.2 cpe:2.3:a:poppler:poppler:0.8.2:*:*:*:*:*:*:*
poppler poppler 0.8.3 cpe:2.3:a:poppler:poppler:0.8.3:*:*:*:*:*:*:*
poppler poppler 0.8.4 cpe:2.3:a:poppler:poppler:0.8.4:*:*:*:*:*:*:*
poppler poppler 0.8.5 cpe:2.3:a:poppler:poppler:0.8.5:*:*:*:*:*:*:*
poppler poppler 0.8.6 cpe:2.3:a:poppler:poppler:0.8.6:*:*:*:*:*:*:*
poppler poppler 0.8.7 cpe:2.3:a:poppler:poppler:0.8.7:*:*:*:*:*:*:*
poppler poppler 0.9.0 cpe:2.3:a:poppler:poppler:0.9.0:*:*:*:*:*:*:*
poppler poppler 0.9.1 cpe:2.3:a:poppler:poppler:0.9.1:*:*:*:*:*:*:*
poppler poppler 0.9.2 cpe:2.3:a:poppler:poppler:0.9.2:*:*:*:*:*:*:*
poppler poppler 0.9.3 cpe:2.3:a:poppler:poppler:0.9.3:*:*:*:*:*:*:*
poppler poppler 0.10.0 cpe:2.3:a:poppler:poppler:0.10.0:*:*:*:*:*:*:*
poppler poppler 0.10.1 cpe:2.3:a:poppler:poppler:0.10.1:*:*:*:*:*:*:*
poppler poppler 0.10.2 cpe:2.3:a:poppler:poppler:0.10.2:*:*:*:*:*:*:*

References for CVE-2009-1182

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
http://poppler.freedesktop.org/releases.html
http://rhn.redhat.com/errata/RHSA-2009-0458.html Vendor Advisory
http://secunia.com/advisories/34291 Vendor Advisory
http://secunia.com/advisories/34481 Vendor Advisory
http://secunia.com/advisories/34746 Vendor Advisory
http://secunia.com/advisories/34755 Vendor Advisory
http://secunia.com/advisories/34756 Vendor Advisory
http://secunia.com/advisories/34852 Vendor Advisory
http://secunia.com/advisories/34959 Vendor Advisory
http://secunia.com/advisories/34963 Vendor Advisory
http://secunia.com/advisories/34991 Vendor Advisory
http://secunia.com/advisories/35037 Vendor Advisory
http://secunia.com/advisories/35064 Vendor Advisory
http://secunia.com/advisories/35065 Vendor Advisory
http://secunia.com/advisories/35618 Vendor Advisory
http://secunia.com/advisories/35685 Vendor Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.578477
http://www.debian.org/security/2009/dsa-1790
http://www.debian.org/security/2009/dsa-1793
http://www.kb.cert.org/vuls/id/196617 US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2009:101
http://www.mandriva.com/security/advisories?name=MDVSA-2010:087
http://www.mandriva.com/security/advisories?name=MDVSA-2011:175
http://www.redhat.com/support/errata/RHSA-2009-0429.html
http://www.redhat.com/support/errata/RHSA-2009-0430.html
http://www.redhat.com/support/errata/RHSA-2009-0431.html
http://www.redhat.com/support/errata/RHSA-2009-0480.html
http://www.securityfocus.com/bid/34568
http://www.securitytracker.com/id?1022073
http://www.vupen.com/english/advisories/2009/1065 Vendor Advisory
http://www.vupen.com/english/advisories/2009/1066 Vendor Advisory
http://www.vupen.com/english/advisories/2009/1076 Vendor Advisory
http://www.vupen.com/english/advisories/2009/1077 Vendor Advisory
http://www.vupen.com/english/advisories/2010/1040 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=495896
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10735
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00567.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01277.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01291.html
cvelogic Threat Intelligence