CVE-2009-2409

CVE-2009-2409 is a medium-severity vulnerability in Gnu Gnutls with a CVSS 2.0 base score of 5.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-295.

Key facts

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Frequently asked questions

What is CVE-2009-2409?
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
How severe is CVE-2009-2409?
CVE-2009-2409 has a CVSS 2.0 base score of 5.1, rated medium severity.
Is CVE-2009-2409 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 5% (90th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2009-2409?
CVE-2009-2409 primarily affects Gnu Gnutls. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2009-2409?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2009-2409 published?
CVE-2009-2409 was published on 2009-07-30 and last updated on 2026-06-16.

References

Affected products (3)

More vulnerabilities in Gnu Gnutls

All CVEs affecting Gnu Gnutls →

Other CWE-295 (Improper Certificate Validation) vulnerabilities

Browse all CWE-295 (Improper Certificate Validation) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: