VYPR
Unrated severityNVD Advisory· Published Aug 6, 2009· Updated Jun 16, 2026

CVE-2009-2412

CVE-2009-2412

Description

Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

52
  • Apache/Apr Util24 versions
    cpe:2.3:a:apache:apr-util:0.9.1:*:*:*:*:*:*:*+ 23 more
    • cpe:2.3:a:apache:apr-util:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.2-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.3-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.7-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.4-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.6-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:apr-util:1.3.8:*:*:*:*:*:*:*
    • (no CPE)range: 0.9.x, 1.3.x
  • cpe:2.3:a:apache:portable_runtime:0.9.1:*:*:*:*:*:*:*+ 23 more
    • cpe:2.3:a:apache:portable_runtime:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.16-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.2-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.3-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.7-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.4-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.6-dev:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:portable_runtime:1.3.8:*:*:*:*:*:*:*
  • Apache/APRllm-fuzzy
    Range: 0.9.x, 1.3.x
  • osv-coords3 versions
    < 2.4.23-4.1+ 2 more
    • (no CPE)range: < 2.4.23-4.1
    • (no CPE)range: < 1.5.2-3.4
    • (no CPE)range: < 1.5.4-4.4

Patches

Vulnerability mechanics

References

51

News mentions

0

No linked articles in our index yet.