CVE-2009-2409

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Published: 2009-07-30 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2009-2409 is rated Moderate Risk (54.3/100): CVSS Medium severity, with high exploitation likelihood (EPSS 4.51%, 90th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +2.29% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-2409

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 2.21% 4.51% +2.29%
2 2026-04-14 1.64% 2.21% +0.57%
3 2026-04-01 1.64%

Full EPSS history (21 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-2409

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.1 2.0 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
4.9 6.4 [email protected]

Weakness enumeration for CVE-2009-2409

OS Trackers for CVE-2009-2409

vendor priority summary link
debian low CVE-2009-2409 low priority: Debian including 2 source packages (nss, openssl), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. https://security-tracker.debian.org/tracker/CVE-2009-2409
gentoo normal CVE-2009-2409: 2 GLSA(s) (200911-02, 200912-01), 6 atom(s) (app-emulation/emul-linux-x86-java, dev-java/blackdown-jdk, dev-java/blackdown-jre, dev-java/sun-jdk, dev-java/sun-jre-bin, dev-libs/openssl); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-2409
redhat medium https://access.redhat.com/security/cve/CVE-2009-2409
ubuntu medium CVE-2009-2409 medium priority: Ubuntu including 6 source packages (gnutls12, gnutls13, gnutls26, nss, openjdk-6, openssl), 48 status rows across 8 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, upstream): released 18, DNE 16, not-affected 9, needs-triage 5. https://ubuntu.com/security/CVE-2009-2409

Affected software / configurations for CVE-2009-2409

Vendor Product Version Raw CPE
gnu gnutls < 2.6.4 cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
gnu gnutls >= 2.7.0, < 2.7.4 cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
mozilla network_security_services < 3.12.3 cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
openssl openssl >= 0.9.8, <= 0.9.8k cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

References for CVE-2009-2409

URL Tags
http://java.sun.com/j2se/1.5.0/ReleaseNotes.html Patch
http://java.sun.com/javase/6/webnotes/6u17.html Release Notes
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html Vendor Advisory
http://secunia.com/advisories/36139 Vendor Advisory
http://secunia.com/advisories/36157 Vendor Advisory
http://secunia.com/advisories/36434 Vendor Advisory
http://secunia.com/advisories/36669 Not Applicable
http://secunia.com/advisories/36739 Not Applicable
http://secunia.com/advisories/37386 Not Applicable
http://secunia.com/advisories/42467 Not Applicable
http://security.gentoo.org/glsa/glsa-200911-02.xml Third Party Advisory
http://security.gentoo.org/glsa/glsa-200912-01.xml Third Party Advisory
http://support.apple.com/kb/HT3937 Broken Link
http://www.debian.org/security/2009/dsa-1874 Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197 Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216 Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:258 Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 Not Applicable
http://www.redhat.com/support/errata/RHSA-2009-1207.html Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2009-1432.html Third Party Advisory
http://www.securityfocus.com/archive/1/515055/100/0/threaded Broken Link
http://www.securitytracker.com/id?1022631 Broken Link
http://www.ubuntu.com/usn/usn-810-1 Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2010-0019.html Third Party Advisory
http://www.vupen.com/english/advisories/2009/2085 Vendor Advisory
http://www.vupen.com/english/advisories/2009/3184 Vendor Advisory
http://www.vupen.com/english/advisories/2010/3126 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409 Third Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html Third Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594 Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0095.html Third Party Advisory
https://usn.ubuntu.com/810-2/ Broken Link
https://www.debian.org/security/2009/dsa-1888 Mailing List Third Party Advisory
cvelogic Threat Intelligence