Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is in the KEV database since May 20, 2026.

The EPSS score is 0.5549.

Exploitation active

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Microsoft
  • Directx
  • Windows 2000
  • Windows 2003 Server
  • Windows Server 2003
  • Windows Xp

Configuration 1 [-]

AND
OR cpe:2.3:a:microsoft:directx:7.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:7.0a:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:7.1:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:8.1:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:8.1b:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0a:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0b:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0c:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

Configuration 2 [-]

AND
OR cpe:2.3:a:microsoft:directx:9.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0a:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0b:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:directx:9.0c:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*

No data.

No data.

References
Link Providers
http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx cve-icon cve-icon
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx cve-icon cve-icon
http://isc.sans.org/diary.html?storyid=6481 cve-icon cve-icon
http://osvdb.org/54797 cve-icon cve-icon
http://secunia.com/advisories/35268 cve-icon cve-icon
http://www.microsoft.com/technet/security/advisory/971778.mspx cve-icon cve-icon
http://www.securityfocus.com/bid/35139 cve-icon cve-icon
http://www.securitytracker.com/id?1022299 cve-icon cve-icon
http://www.us-cert.gov/cas/techalerts/TA09-195A.html cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1445 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1886 cve-icon cve-icon
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-028 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6237 cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-1537 cve-icon cve-icon
History

Thu, 21 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:* cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-158
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-20T00:00:00+00:00', 'dueDate': '2026-06-03T00:00:00+00:00'}
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-21T03:55:22.095Z

Reserved: 2009-05-05T00:00:00.000Z

Link: CVE-2009-1537

cve-icon Vulnrichment

Updated: 2024-08-07T05:13:25.834Z

cve-icon NVD

Status : Analyzed

Published: 2009-05-29T18:30:00.187

Modified: 2026-05-21T12:57:12.850

Link: CVE-2009-1537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.