Cyber Resilience

CVE-2016-4171

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 June 2016

Published
16 June 2016
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4416 97.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-4171 is a critical-severity an unspecified weakness vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2016-4171 is an unspecified vulnerability affecting Adobe Flash Player versions 21.0.0.242 and earlier. The flaw carries a CVSS score of 9.8 and is categorized under NVD-CWE-noinfo, indicating insufficient details were available at the time of disclosure to assign a more specific weakness identifier.

Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code, resulting in complete compromise of confidentiality, integrity, and availability on affected systems. The vulnerability was observed being exploited in the wild during June 2016.

Security advisories referenced in OpenSUSE mailing lists, SecurityFocus, and SecurityTracker address the issue through updated packages and vendor patches for supported distributions and platforms. The public references primarily consist of distribution-specific announcements rather than detailed technical analysis from the vendor.

EU & UK References

Vulnerability details

Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in June 2016.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.621 · ≤ 21.0.0.242 · ≤ 21.0.0.242
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux workstation
5.0, 6.0
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
12
suse
linux enterprise workstation extension
12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the remote-code-execution flaw in Adobe Flash Player.

prevent

Restricts or disables execution of mobile code (Flash) that can be abused for unauthenticated remote code execution.

preventdetect

Deploys anti-malware mechanisms to block or alert on malicious payloads delivered through the Flash vulnerability.

References