CVE-2012-0754
Published: 16 February 2012
Summary
CVE-2012-0754 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions prior to 10.3.183.15 and 11.x prior to 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris, as well as versions prior to 11.1.111.6 on Android 2.x and 3.x and prior to 11.1.115.6 on Android 4.x, contain a memory corruption flaw tracked as CWE-787. The vulnerability permits remote attackers to trigger arbitrary code execution or a denial of service through unspecified vectors, reflected in its CVSS 3.1 score of 8.1 with network attack vector, high complexity, and no required privileges or user interaction.
An attacker can deliver malicious content over the network to an affected Flash Player instance and leverage the flaw to corrupt memory, potentially gaining full control of the process or crashing the application. Exploitation requires no authentication and succeeds against any user who encounters the crafted input, though the high attack complexity indicates specific conditions must be met for reliable code execution.
Vendor advisories from Red Hat, openSUSE, Gentoo, and Secunia direct administrators to apply the corresponding updates that advance Flash Player past the listed vulnerable releases on each supported platform. These patches address the memory corruption issue directly and are distributed through the respective operating-system update mechanisms referenced in the security bulletins.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-0786
Vulnerability details
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial…
more
of service (memory corruption) via unspecified vectors.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the memory-corruption flaw in Flash Player.
Explicitly governs use of Flash movies (mobile code) and can block or restrict execution of the vulnerable player.
Mandates memory-protection techniques (DEP, ASLR, etc.) that raise the bar against the out-of-bounds write (CWE-787) exploitation.