⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2010-3654Improper Restriction of Operations within the Bounds of a Memory Buffer in Adobe Flash Player

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer13 documents10 sources
Severity
9.3CRITICALNVD
EPSS
93.6%
top 0.17%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Adobe Flash PlayerAdobe AcrobatAdobe Acrobat Reader+1 more
Timeline
PublishedOct 29
Latest updateMay 17

Description

Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages4 packages

NVDadobe/flash_player10.1.85.3+57
NVDadobe/acrobat_reader12 versions+11
NVDadobe/acrobat12 versions+11
NVDmacromedia/flash_player8 versions+7

🔴Vulnerability Details

3
GHSA
GHSA-c6x8-9r8h-9jrr: Adobe Flash Player before 92022-05-17
CVEList
CVE-2010-3654: Adobe Flash Player before 92010-10-29
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer2010

💥Exploits & PoCs

3
Exploit-DB
Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion (ASLR + DEP Bypass)2011-04-19
Exploit-DB
Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit)2010-11-01
Metasploit
Adobe Flash Player "Button" Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt2011-07-15

📋Vendor Advisories

1
Red Hat
acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)2010-10-28

🕵️Threat Intelligence

2
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US2017-11-16

💬Community

2
Bugzilla
flash-plugin: security bulletin APSB10-262010-11-04
Bugzilla
CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)2010-10-28
CVE-2010-3654 — Adobe Flash Player vulnerability | cvebase