⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2016-7855 — Use After Free in Adobe Flash Player

CWE-416 — Use After Free14 documents12 sources

Severity

8.8HIGHNVD

EPSS

49.8%

top 2.18%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Flash Player Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server +1 more

Timeline

PublishedNov 1

KEV addedMar 3

KEV dueMar 24

Latest updateFeb 12

CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDadobe/flash_player23.0.0.185+1

▶NVDredhat/enterprise_linux_server5.0, 6.0+1

▶NVDredhat/enterprise_linux_desktop5.0, 6.0+1

▶NVDredhat/enterprise_linux_workstation5.0, 6.0+1

Patches

Patch: docs.microsoft.com ↗Patch: helpx.adobe.com ↗Patch: docs.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-fq8g-m89m-mrw9: Use-after-free vulnerability in Adobe Flash Player before 23↗2022-05-14

▶

OSV

CVE-2016-7855: Use-after-free vulnerability in Adobe Flash Player before 23↗2016-11-01

▶

CVEList

CVE-2016-7855: Use-after-free vulnerability in Adobe Flash Player before 23↗2016-11-01

▶

VulnCheck

Adobe Flash Player Use-After-Free Vulnerability↗2016

▶

📋Vendor Advisories

CISA

Adobe Flash Player Use-After-Free Vulnerability↗2022-03-03

▶

Red Hat

flash-plugin: use-after-free issue fixed in APSB16-36↗2016-10-26

▶

🕵️Threat Intelligence

Unit42

Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue↗2016-12-15

▶

Unit42

Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue↗2016-12-15

▶

Qualys

Emergency Flash Player 0-day update released by Adobe↗2016-10-26

▶

Qualys

Emergency Flash Player 0-day update released by Adobe | Qualys↗2016-10-26

▶

Zscaler

Zscaler discovers Flash Player Vulnerabilities | 10-11-2016↗

▶

📄Research Papers

arXiv

Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures↗2025-02-12

▶

💬Community

Bugzilla

CVE-2016-7855 flash-plugin: use-after-free issue fixed in APSB16-36↗2016-10-26

▶