⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: The impacted product is end-of-life and should be disconnected if still in use..

CVE-2016-7892Use After Free in Adobe Flash Player

CWE-416Use After Free9 documents8 sources
Severity
8.8HIGHNVD
EPSS
23.3%
top 4.04%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Adobe Flash PlayerAdobe Flash Player Desktop Runtime
Timeline
PublishedDec 15
KEV addedMar 25
KEV dueApr 15
Latest updateMay 14
CISA Required Action: The impacted product is end-of-life and should be disconnected if still in use.

Description

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDadobe/flash_player23.0.0.207+1

Patches

Patch: docs.microsoft.comPatch: helpx.adobe.comPatch: docs.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-gxjf-m829-568r: Adobe Flash Player versions 232022-05-14
CVEList
CVE-2016-7892: Adobe Flash Player versions 232016-12-15
VulnCheck
Adobe Flash Player Use-After-Free Vulnerability2016

📋Vendor Advisories

2
CISA
Adobe Flash Player Use-After-Free Vulnerability2022-03-25
Red Hat
flash-plugin: multiple code execution issues fixed in APSB16-392016-12-13

🕵️Threat Intelligence

2
Qualys
2016 Year-End Summary for Adobe and Another 0-day Fix in December2016-12-14
Qualys
2016 Year-End Summary for Adobe and Another 0-day Fix in December | Qualys2016-12-14

💬Community

1
Bugzilla
flash-plugin: multiple code execution issues fixed in APSB16-392016-12-13
CVE-2016-7892 — Use After Free in Adobe Flash Player | cvebase