Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-3106 — Incorrect Type Conversion or Cast in Adobe Flash Player

CWE-704 — Incorrect Type Conversion or Cast CWE-843 — Type Confusion7 documents7 sources

Severity

8.8HIGHNVD

EPSS

53.3%

top 2.02%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Adobe Flash Player Adobe Flash Player Desktop Runtime Adobe Systems Incorporated Flash Player +3 more

Timeline

PublishedAug 11

Latest updateMay 13

Description

Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable type confusion vulnerability when parsing SWF files. Successful exploitation could lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDadobe/flash_player26.0.0.137

▶NVDadobe/flash_player_desktop_runtime26.0.0.137

▶CVEListV5adobe_systems_incorporated/flash_player26.0.0.137 and earlier.

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

Also affects: Enterprise Linux 6.0

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-fvch-gj67-rr73: Adobe Flash Player versions 26↗2022-05-13

▶

OSV

CVE-2017-3106: Adobe Flash Player versions 26↗2017-08-11

▶

CVEList

CVE-2017-3106: Adobe Flash Player versions 26↗2017-08-11

▶

💥Exploits & PoCs

Exploit-DB

Adobe Flash - Invoke Accesses Trait Out-of-Bounds↗2017-08-17

▶

📋Vendor Advisories

Red Hat

flash-plugin: Remote Code Execution due to Type Confusion issue fixed in APSB17-23↗2017-08-08

▶

💬Community

Bugzilla

CVE-2017-3106 flash-plugin: Remote Code Execution due to Type Confusion issue fixed in APSB17-23↗2017-08-09

▶