CVE-2017-11225
critical
CVSS v3
9.8
CVSS v2
10.0
VIR risk
9.8
Description
An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the Primetime SDK metadata functionality. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@adobe.com — https://helpx.adobe.com/security/products/flash-player/apsb17-33.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| linux-kernel | - | not-affected | |
| rhel | 6.0 | affected | |
| windows | - | not-affected | |
| macos | - | not-affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| adobe | flash_player | {"endIncluding":"27.0.0.183"} | |
References
- http://www.securityfocus.com/bid/101837
- http://www.securitytracker.com/id/1039778
- https://access.redhat.com/errata/RHSA-2017:3222
- https://helpx.adobe.com/security/products/flash-player/apsb17-33.html
- https://security.gentoo.org/glsa/201711-13
- http://www.securityfocus.com/bid/101837
- http://www.securitytracker.com/id/1039778
- https://access.redhat.com/errata/RHSA-2017:3222
- https://helpx.adobe.com/security/products/flash-player/apsb17-33.html
- https://security.gentoo.org/glsa/201711-13
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.