Cyber Resilience

CVE-2016-4117

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 May 2016

Published
11 May 2016
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9296 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-4117 is a critical-severity an unspecified weakness vulnerability in Redhat Enterprise Linux Desktop. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).

Deeper analysis

Adobe Flash Player versions 21.0.0.226 and earlier contain a remote code execution vulnerability that can be triggered through unspecified vectors. The flaw received a CVSS score of 9.8 and is tracked under CVE-2016-4117 with no associated CWE entry.

Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code on affected systems. The vulnerability was actively exploited in the wild during May 2016.

OpenSUSE and Red Hat security advisories reference distribution-specific updates that address the flaw in Adobe Flash Player packages. The issue's public disclosure coincided with observed in-the-wild exploitation campaigns.

EU & UK References

Vulnerability details

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 21.0.0.226
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server from rhui
5.0, 6.0
redhat
enterprise linux workstation
5.0, 6.0
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
12
suse
linux enterprise workstation extension
12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the RCE flaw in Adobe Flash Player 21.0.0.226 and earlier.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player component so the exploit vector cannot be reached.

prevent

Restricts or authorizes mobile code (Flash) execution, blocking the network-delivered arbitrary-code payloads described in the CVE.

References