Cyber Resilience

CVE-2016-1010

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 March 2016

Published
12 March 2016
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1270 94.1th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-1010 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

An integer overflow vulnerability, tracked as CVE-2016-1010 and assigned CWE-190, affects Adobe Flash Player versions before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X, before 11.2.202.577 on Linux, as well as Adobe AIR, Adobe AIR SDK, and Adobe AIR SDK & Compiler before 21.0.0.176. The flaw permits arbitrary code execution through unspecified vectors and is distinct from CVE-2016-0963 and CVE-2016-0993. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.

Attackers can trigger the issue by supplying specially crafted content that victims are induced to process in the affected Flash Player or AIR runtime. Successful exploitation grants the ability to execute arbitrary code, potentially leading to full compromise of the affected system, with user interaction required to initiate the attack.

OpenSUSE security advisories referenced in the disclosure recommend applying vendor-supplied updates that address the integer overflow in the listed products. Corresponding patches were issued to bring Flash Player and AIR installations to the fixed versions noted in the CVE description.

EU & UK References

Vulnerability details

Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before…

more

21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 20.0.0.306 · ≤ 11.2.202.569 · ≤ 20.0.0.306
adobe
air
≤ 20.0.0.233
adobe
air sdk
≤ 20.0.0.260
samsung
x14j firmware
t-ms14jakucb-1102.5
adobe
flash player desktop runtime
≤ 20.2.2.306
adobe
air desktop runtime
≤ 20.0.0.260
adobe
air sdk \& compiler
≤ 20.0.0.260

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification and installation of vendor patches that remediate the integer-overflow flaw in Flash Player/AIR.

prevent

Restricts or disables execution of untrusted mobile code (Flash) that is the attack vector for the crafted content triggering CVE-2016-1010.

prevent

Enforces least functionality by removing or disabling unnecessary Flash runtime components, eliminating the vulnerable attack surface.

References