CVE-2016-4108
published 2016-05-11CVE-2016-4108: Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and…
PriorityP262high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EXPLOIT
EPSS
37.72%
98.4th percentile
Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-064.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | air_desktop_runtime | <= 21.0.0.198 | — |
| adobe | air_sdk | <= 21.0.0.198 | — |
| adobe | air_sdk_compiler | <= 21.0.0.198 | — |
| adobe | flash_player | <= 21.0.0.213 | — |
| adobe | flash_player | <= 21.0.0.241 | — |
| adobe | flash_player | <= 18.0.0.343 | — |
| adobe | flash_player | <= 11.2.202.616 | — |
| adobe | flash_player | <= 21.0.0.216 | — |
| adobe | flash_player_desktop_runtime | <= 21.0.0.226 | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Use-after-free triggered via ActionScript addProperty() on a MovieClip object that already has a watch() callback defined — the watch callback deletes the MovieClip, which is then used after free. ↗
- →Minimal PoC ActionScript pattern to detect in SWF analysis: createEmptyMovieClip + watch + addProperty on the same object — flag SWF files exhibiting this call sequence. ↗
- ·Vulnerability affects Adobe Flash Player 21.0.0.213 and earlier, including Flash libraries embedded in Microsoft Internet Explorer 10/11 and Microsoft Edge (covered under MS16-064 / APSB16-15). ↗
- ·Impact and attack vectors are officially unspecified by Adobe; the underlying mechanism is a use-after-free in the addProperty ActionScript method. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gj4r-qpq9-xp3h: Use-after-free vulnerability in Adobe Flash Player before 18
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-4121 [HIGH] CWE-416 GHSA-gj4r-qpq9-xp3h: Use-after-free vulnerability in Adobe Flash Player before 18
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0.0.242 on Windows and OS X and before 11.2.202.621 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, and CVE-2016-4110.
GHSA
GHSA-j9m7-42pq-p58j: Unspecified vulnerability in Adobe Flash Player 21
ghsa_unreviewed·2022-05-14
CVE-2016-4108 [HIGH] GHSA-j9m7-42pq-p58j: Unspecified vulnerability in Adobe Flash Player 21
Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-064.
OSV
CVE-2016-4121: Use-after-free vulnerability in Adobe Flash Player before 18
osv·2016-06-16·CVSS 7.5
CVE-2016-4121 [HIGH] CVE-2016-4121: Use-after-free vulnerability in Adobe Flash Player before 18
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0.0.242 on Windows and OS X and before 11.2.202.621 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, and CVE-2016-4110.
Red Hat
flash-plugin: multiple code execution issues fixed in APSB16-15
vendor_redhat·2016-05-10·CVSS 7.5
CVE-2016-4108 [HIGH] flash-plugin: multiple code execution issues fixed in APSB16-15
flash-plugin: multiple code execution issues fixed in APSB16-15
Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-064.
Red Hat
flash-plugin: multiple code execution issues fixed in APSB16-15
vendor_redhat·2016-05-10·CVSS 7.5
CVE-2016-4121 [HIGH] flash-plugin: multiple code execution issues fixed in APSB16-15
flash-plugin: multiple code execution issues fixed in APSB16-15
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.352 and 19.x through 21.x before 21.0.0.242 on Windows and OS X and before 11.2.202.621 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, and CVE-2016-4110.
No detection rules found.
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-13-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 05-13-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
flash-plugin: multiple code execution issues fixed in APSB16-15
bugzilla·2016-05-11·CVSS 7.5
CVE-2016-4117 [HIGH] flash-plugin: multiple code execution issues fixed in APSB16-15
flash-plugin: multiple code execution issues fixed in APSB16-15
Adobe released a new security advisory for Adobe Flash Player.
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
Discussion:
Updates for Adobe Flas
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.htmlhttp://packetstormsecurity.com/files/137058/Adobe-Flash-addProperty-Use-After-Free.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1079.htmlhttp://www.securitytracker.com/id/1035827https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-064https://helpx.adobe.com/security/products/flash-player/apsb16-15.htmlhttps://www.exploit-db.com/exploits/39830/http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.htmlhttp://packetstormsecurity.com/files/137058/Adobe-Flash-addProperty-Use-After-Free.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1079.htmlhttp://www.securitytracker.com/id/1035827https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-064https://helpx.adobe.com/security/products/flash-player/apsb16-15.htmlhttps://www.exploit-db.com/exploits/39830/
2016-05-11
Published