CVE-2016-7877
high
CVSS v3
8.8
CVSS v2
9.3
VIR risk
8.8
Description
Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the Action Message Format serialization (AFM0). Successful exploitation could lead to arbitrary code execution.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@adobe.com — https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
Vendor advisory: psirt@adobe.com — https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-154
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| linux-kernel | - | not-affected | |
| windows | - | not-affected | |
| macos | - | not-affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| adobe | flash_player_desktop_runtime | {"endIncluding":"23.0.0.207"} | |
| adobe | flash_player | {"endIncluding":"23.0.0.207"} | |
References
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00064.html
- http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html
- http://rhn.redhat.com/errata/RHSA-2016-2947.html
- http://www.securityfocus.com/bid/94873
- http://www.securitytracker.com/id/1037442
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-154
- https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
- https://security.gentoo.org/glsa/201701-17
- http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00064.html
- http://lists.opensuse.org/opensuse-updates/2016-12/msg00112.html
- http://rhn.redhat.com/errata/RHSA-2016-2947.html
- http://www.securityfocus.com/bid/94873
- http://www.securitytracker.com/id/1037442
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-154
- https://helpx.adobe.com/security/products/flash-player/apsb16-39.html
- https://security.gentoo.org/glsa/201701-17
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.