VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2009· Updated Apr 23, 2026

CVE-2009-0155

CVE-2009-0155

Description

Integer underflow in CoreGraphics in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers a heap-based buffer overflow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer underflow in CoreGraphics allows remote code execution via crafted PDF on Mac OS X and iOS before 2009 patches.

Vulnerability

An integer underflow vulnerability exists in CoreGraphics' handling of PDF files on Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPod touch OS 1.1 through 2.2.1. The flaw leads to a heap-based buffer overflow when processing a specially crafted PDF file [1][2][3].

Exploitation

A remote attacker can exploit this vulnerability by delivering a malicious PDF file to the target system, typically via email, a web page, or other means that cause the user to open the file. No authentication or special network position is required; the user must simply open the crafted PDF. The integer underflow triggers a heap-based buffer overflow, allowing the attacker to overwrite memory [1][2][3].

Impact

Successful exploitation can result in arbitrary code execution with the privileges of the user opening the PDF, or a denial of service (application crash) [1][2][3].

Mitigation

Apple has addressed this vulnerability in Mac OS X 10.5.7 (Security Update 2009-002) [1][3], iPhone OS 3.0 [2], and iPod touch OS 3.0 [2]. Users should apply these updates via Software Update or Apple Downloads. No workarounds are available.

References
  1. About the security content of Security Update 2009-002 / Mac OS X v10.5.7 - Apple Support
  2. About the security content of iOS 3.0 Software Update - Apple Support
  3. Apple Updates for Multiple Vulnerabilities | CISA

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17
  • Apple Inc./Mac Os X8 versions
    cpe:2.3:o:apple:mac_os_x:10.5.0:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:apple:mac_os_x:10.5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.5.6:*:*:*:*:*:*:*
    • (no CPE)range: <10.5.7
  • Apple Inc./Mac Os X Server7 versions
    cpe:2.3:o:apple:mac_os_x_server:10.5.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:apple:mac_os_x_server:10.5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.5.6:*:*:*:*:*:*:*
  • Apple Inc./Iphone Osllm-fuzzy
    Range: 1.0 through 2.2.1
  • Apple Inc./iPhone OS for iPod touchllm-fuzzy
    Range: 1.1 through 2.2.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.