cbcvebase.
CVE-2016-4137
published 2016-06-16

CVE-2016-4137: Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and…

PriorityP262high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.38%
96.6th percentile
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083.

Affected

14 ranges
VendorProductVersion rangeFixed in
adobeflash_player<= 21.0.0.242
adobeflash_player<= 11.2.202.621
adobeflash_player<= 18.0.0.352
adobeflash_player_desktop_runtime<= 21.0.0.242
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation
suselinux_enterprise_desktop
suselinux_enterprise_workstation_extension

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40089.zip
  • Loading a crafted image file via LoadImage.swf with a specific query parameter triggers heap corruption in Adobe Flash LMZA property decoding
  • The crash may require multiple page loads/refreshes to trigger, which may appear as repeated Flash content requests in network or proxy logs
  • ·Affected versions are Adobe Flash Player 21.0.0.242 and earlier, including Flash libraries embedded in Microsoft Internet Explorer 10, IE 11, and Microsoft Edge
  • ·This is one of multiple vulnerabilities addressed in MS16-083 / APSB16-18; detections should account for the full bulletin scope

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.