Cyber Resilience

CVE-2012-2034

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 June 2012

Published
09 June 2012
Modified
21 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1029 93.3th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-2034 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Adobe Flash Player. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions prior to 10.3.183.20 and 11.x prior to 11.3.300.257 on Windows and Mac OS X, prior to 10.3.183.20 and 11.x prior to 11.2.202.236 on Linux, prior to 11.1.111.10 on Android 2.x and 3.x, and prior to 11.1.115.9 on Android 4.x, along with Adobe AIR before 3.3.0.3610, contain a memory corruption flaw tracked as CWE-119. The issue permits arbitrary code execution or denial of service through unspecified vectors and is distinct from CVE-2012-2037. It carries a CVSS 3.1 score of 7.5 reflecting network attack complexity and high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can deliver malicious Flash content via a web browser or AIR application to trigger the flaw. Successful exploitation grants the ability to execute arbitrary code in the context of the affected process or to crash the Flash runtime, potentially leading to system compromise on the target platform.

Adobe security bulletin APSB12-14 and corresponding vendor advisories from Red Hat and openSUSE direct users to apply the updated Flash Player and AIR releases that remediate the vulnerability. Organizations should prioritize installation of these patches across all supported operating systems to eliminate exposure.

EU & UK References

Vulnerability details

Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before…

more

3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.235 · ≤ 11.1.115.8 · ≤ 11.1.111.9
adobe
air
≤ 3.2.0.2070
opensuse
opensuse
11.4, 12.1
suse
linux enterprise desktop
10, 11
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
6.2
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server aus
6.2
redhat
enterprise linux workstation
5.0, 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the memory-corruption flaw in Flash Player and AIR.

prevent

Restricts or disables execution of untrusted mobile code (Flash) delivered through browsers or AIR applications.

prevent

Implements memory-protection mechanisms that can block exploitation of the CWE-119 corruption before arbitrary code executes.

References