Cyber Resilience

CVE-2016-1019

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 07 April 2016

Published
07 April 2016
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5670 98.2th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-1019 is a critical-severity an unspecified weakness vulnerability in Apple Mac Os X. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 21.0.0.197 and earlier contain an unspecified vulnerability that can be triggered to produce an application crash or potentially allow arbitrary code execution. The flaw carries a CVSS 3.1 base score of 9.8 and is tracked under NVD-CWE-noinfo, indicating insufficient public detail on the underlying weakness.

Remote attackers can exploit the issue over the network without authentication or user interaction, enabling denial-of-service conditions or full code execution on affected systems. The vulnerability was observed being exploited in the wild during April 2016.

Adobe security advisories and corresponding updates from Linux distributions such as openSUSE document the availability of patched Flash Player releases and recommend prompt installation to address the exposure. The in-the-wild exploitation noted at disclosure time underscores the need for rapid remediation in environments still running legacy Flash components.

EU & UK References

Vulnerability details

Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player desktop runtime
≤ 21.0.0.197
adobe
flash player
≤ 18.0.0.333 · ≤ 21.0.0.197 · ≤ 21.0.0.197
adobe
air desktop runtime
≤ 21.0.0.176
adobe
air sdk
≤ 21.0.0.176
adobe
air sdk \& compiler
≤ 21.0.0.176

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches to remediate the known Flash Player flaw before exploitation.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player component entirely when it is not required.

SC-18 Mobile Code partial match
prevent

Restricts or monitors execution of mobile code such as Adobe Flash to block the remote code-execution vector.

References