CVE-2009-5098
Description
Palm Pre WebOS 1.1 and earlier crashes when a crafted web page with a refresh tag and a long string triggers a floating point exception in LunaSysMgr.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Palm Pre WebOS 1.1 and earlier crashes when a crafted web page with a refresh tag and a long string triggers a floating point exception in LunaSysMgr.
Vulnerability
The LunaSysMgr process in Palm Pre WebOS version 1.1 and earlier contains a floating point exception vulnerability that can be triggered by viewing a specially crafted web page. The page must include a `` tag followed by a string of at least 50,280 characters. The crash does not occur if the device is in landscape mode [1][2].
Exploitation
An attacker only needs to host or distribute a malicious web page and convince the user to view it in portrait mode. No authentication or special network position is required—simply browsing to the page triggers the exploit. The crafted page causes the LunaSysMgr process to generate a floating point exception, leading to a crash [1][2].
Impact
Successful exploitation causes LunaSysMgr to crash, which forces the device to restart the process and simulate a system reboot. This denial-of-service condition disrupts device usage until the process restarts. No data loss or privilege escalation is reported [1][2].
Mitigation
Palm released WebOS version 1.2+, which addresses the vulnerability. Users are advised to update their devices to the latest version. No other workarounds are documented [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:o:hp:palm_pre_webos:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:hp:palm_pre_webos:*:*:*:*:*:*:*:*range: <=1.1.0
- cpe:2.3:o:hp:palm_pre_webos:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:hp:palm_pre_webos:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:hp:palm_pre_webos:1.0.4:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A floating point exception in LunaSysMgr triggered by a long string following a meta refresh tag causes the process to crash."
Attack vector
An attacker hosts a web page containing a `
Affected code
The vulnerable process is LunaSysMgr in Palm Pre WebOS version 1.1 and earlier. The advisory does not identify a specific function or file path, but the crash occurs when the browser component parses an HTML page containing a `
What the fix does
No patch diff is available in the bundle. The advisory states that Palm addressed this vulnerability in WebOS version 1.2 and recommends all users update to that version [ref_id=1][ref_id=2]. The fix presumably corrects the floating-point handling in LunaSysMgr when processing long refresh-tag strings, preventing the division-by-zero or invalid operation that caused the crash.
Preconditions
- configThe victim must be using Palm Pre WebOS version 1.1 or earlier.
- configThe victim must view the malicious web page in portrait (non-landscape) mode.
- inputThe attacker must host or deliver a web page containing a meta refresh tag followed by 50,280 or more characters.
Reproduction
1. Create an HTML file containing the following payload: `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- tlhsecurity.blogspot.com/2009/10/palm-pre-webos-version-11-floating.htmlnvdExploit
- secunia.com/advisories/36936nvdVendor Advisory
- kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.htmlnvd
- securityreason.com/securityalert/8373nvd
- www.securityfocus.com/archive/1/507126/100/0/threadednvd
News mentions
0No linked articles in our index yet.