Cyber Resilience

CVE-2012-5054

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 September 2012

Published
24 September 2012
Modified
21 April 2026
KEV Added
08 June 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7151 98.7th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-5054 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an integer overflow, identified as CWE-190, in the copyRawDataTo method of the Matrix3D class within Adobe Flash Player versions prior to 11.4.402.265. This flaw resides in the client-side multimedia component responsible for handling 3D matrix transformations and raw data operations.

Remote attackers can exploit the issue by supplying malformed arguments to the affected method, typically through a malicious web page or Flash content that triggers the overflow. Successful exploitation grants the ability to execute arbitrary code on the target system, with the CVSS vector indicating network attack vector, low complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality, integrity, and availability.

Adobe addressed the flaw in security bulletin APSB12-19, which provides patched Flash Player builds and recommends immediate upgrade to version 11.4.402.265 or later. Public exploit code demonstrating the integer overflow and code execution path has been published via repositories such as PacketStorm.

EU & UK References

Vulnerability details

Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player before 11.4.402.265 allows remote attackers to execute arbitrary code via malformed arguments.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.4.402.265

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (APSB12-19) that eliminates the integer overflow in Flash Player's copyRawDataTo method.

prevent

Restricts or disables execution of untrusted mobile code (Flash) that supplies malformed arguments to the vulnerable Matrix3D class.

preventdetect

Blocks or detects malicious Flash content used to trigger the integer overflow and subsequent code execution.

References