Cyber Resilience

CVE-2012-0754

HighCISA KEVActive ExploitationEUVD Exploited

Published: 16 February 2012

Published
16 February 2012
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9154 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0754 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions prior to 10.3.183.15 and 11.x prior to 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris, as well as versions prior to 11.1.111.6 on Android 2.x and 3.x and prior to 11.1.115.6 on Android 4.x, contain a memory corruption flaw tracked as CWE-787. The vulnerability permits remote attackers to trigger arbitrary code execution or a denial of service through unspecified vectors, reflected in its CVSS 3.1 score of 8.1 with network attack vector, high complexity, and no required privileges or user interaction.

An attacker can deliver malicious content over the network to an affected Flash Player instance and leverage the flaw to corrupt memory, potentially gaining full control of the process or crashing the application. Exploitation requires no authentication and succeeds against any user who encounters the crafted input, though the high attack complexity indicates specific conditions must be met for reliable code execution.

Vendor advisories from Red Hat, openSUSE, Gentoo, and Secunia direct administrators to apply the corresponding updates that advance Flash Player past the listed vulnerable releases on each supported platform. These patches address the memory corruption issue directly and are distributed through the respective operating-system update mechanisms referenced in the security bulletins.

EU & UK References

Vulnerability details

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial…

more

of service (memory corruption) via unspecified vectors.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 10.3.183.15 · 11.0 — 11.1.102.62 · ≤ 11.1.111.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the memory-corruption flaw in Flash Player.

prevent

Explicitly governs use of Flash movies (mobile code) and can block or restrict execution of the vulnerable player.

prevent

Mandates memory-protection techniques (DEP, ASLR, etc.) that raise the bar against the out-of-bounds write (CWE-787) exploitation.

References