Cyber Resilience

CVE-2016-0984

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 February 2016

Published
10 February 2016
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6734 98.6th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0984 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2016-0984 is a use-after-free vulnerability (CWE-416) affecting Adobe Flash Player versions prior to 18.0.0.329 and 19.x/20.x prior to 20.0.0.306 on Windows and OS X, prior to 11.2.202.569 on Linux, as well as Adobe AIR, AIR SDK, and AIR SDK & Compiler before 20.0.0.260. The flaw resides in the Flash runtime's handling of certain objects and can be triggered through unspecified vectors, distinct from several related memory-safety issues in the same product family.

An unauthenticated remote attacker can exploit the condition by serving malicious Flash content that a victim renders in a browser or AIR application. Successful exploitation yields arbitrary code execution with the privileges of the affected process, corresponding to the observed CVSS 3.1 score of 8.8 that reflects network attack vector, low complexity, and required user interaction.

The referenced OpenSUSE and Red Hat advisories describe distribution-specific updates that replace the vulnerable Flash Player and AIR packages, thereby eliminating the affected code paths. Applying the vendor-supplied patches to the listed versions is the primary mitigation step.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before…

more

20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0982, and CVE-2016-0983.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 20.0.0.272 · ≤ 20.0.0.272 · ≤ 11.2.202.559
adobe
flash player desktop runtime
≤ 20.0.0.286
adobe
air desktop runtime
≤ 20.0.0.233
adobe
air sdk
≤ 20.0.0.233
adobe
air sdk \& compiler
≤ 20.0.0.233

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remove the vulnerable Flash/AIR code paths described in the CVE.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code (Flash) that is the attack vector for triggering the use-after-free flaw.

prevent

Enforces least functionality by disabling or removing the Flash Player plugin, eliminating the attack surface for remote malicious content.

References