CVE-2012-2034
Published: 09 June 2012
Summary
CVE-2012-2034 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Adobe Flash Player. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions prior to 10.3.183.20 and 11.x prior to 11.3.300.257 on Windows and Mac OS X, prior to 10.3.183.20 and 11.x prior to 11.2.202.236 on Linux, prior to 11.1.111.10 on Android 2.x and 3.x, and prior to 11.1.115.9 on Android 4.x, along with Adobe AIR before 3.3.0.3610, contain a memory corruption flaw tracked as CWE-119. The issue permits arbitrary code execution or denial of service through unspecified vectors and is distinct from CVE-2012-2037. It carries a CVSS 3.1 score of 7.5 reflecting network attack complexity and high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can deliver malicious Flash content via a web browser or AIR application to trigger the flaw. Successful exploitation grants the ability to execute arbitrary code in the context of the affected process or to crash the Flash runtime, potentially leading to system compromise on the target platform.
Adobe security bulletin APSB12-14 and corresponding vendor advisories from Red Hat and openSUSE direct users to apply the updated Flash Player and AIR releases that remediate the vulnerability. Organizations should prioritize installation of these patches across all supported operating systems to eliminate exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2012-2040
Vulnerability details
Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before…
more
3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the memory-corruption flaw in Flash Player and AIR.
Restricts or disables execution of untrusted mobile code (Flash) delivered through browsers or AIR applications.
Implements memory-protection mechanisms that can block exploitation of the CWE-119 corruption before arbitrary code executes.