Cyber Resilience

CVE-2016-7855

HighCISA KEVActive ExploitationEUVD Exploited

Published: 01 November 2016

Published
01 November 2016
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5897 98.3th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-7855 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2016-7855 and assigned CWE-416, affects Adobe Flash Player versions prior to 23.0.0.205 on Windows and OS X and prior to 11.2.202.643 on Linux. The flaw carries a CVSS 3.1 base score of 8.8 with an attack vector of network, low attack complexity, no privileges required, and required user interaction, resulting in high impact to confidentiality, integrity, and availability.

Remote attackers can exploit the issue through unspecified vectors to achieve arbitrary code execution on affected systems. The vulnerability was observed being exploited in the wild during October 2016.

Vendor advisories, including Adobe Security Bulletin APSB16-36, Microsoft Security Bulletin MS16-128, and Red Hat RHSA-2016-2119, direct administrators to apply the respective updates that remediate the flaw by upgrading Flash Player to the fixed releases.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 23.0.0.185 · ≤ 23.0.0.185 · ≤ 23.0.0.185
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux workstation
5.0, 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the use-after-free flaw in Flash Player.

prevent

Establishes usage restrictions and control of mobile code technologies such as Flash Player that are the attack vector for this RCE.

prevent

Enforces least functionality by disabling or removing unnecessary Flash Player installations that contain the vulnerable code.

References