CVE-2016-0984
Published: 10 February 2016
Summary
CVE-2016-0984 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2016-0984 is a use-after-free vulnerability (CWE-416) affecting Adobe Flash Player versions prior to 18.0.0.329 and 19.x/20.x prior to 20.0.0.306 on Windows and OS X, prior to 11.2.202.569 on Linux, as well as Adobe AIR, AIR SDK, and AIR SDK & Compiler before 20.0.0.260. The flaw resides in the Flash runtime's handling of certain objects and can be triggered through unspecified vectors, distinct from several related memory-safety issues in the same product family.
An unauthenticated remote attacker can exploit the condition by serving malicious Flash content that a victim renders in a browser or AIR application. Successful exploitation yields arbitrary code execution with the privileges of the affected process, corresponding to the observed CVSS 3.1 score of 8.8 that reflects network attack vector, low complexity, and required user interaction.
The referenced OpenSUSE and Red Hat advisories describe distribution-specific updates that replace the vulnerable Flash Player and AIR packages, thereby eliminating the affected code paths. Applying the vendor-supplied patches to the listed versions is the primary mitigation step.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-0994
Vulnerability details
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before…
more
20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, and CVE-2016-0983.
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remove the vulnerable Flash/AIR code paths described in the CVE.
Restricts execution of untrusted mobile code (Flash) that is the attack vector for triggering the use-after-free flaw.
Enforces least functionality by disabling or removing the Flash Player plugin, eliminating the attack surface for remote malicious content.