Cyber Resilience

CVE-2016-7892

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 December 2016

Published
15 December 2016
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2197 95.9th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-7892 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 23.0.0.207 and earlier, along with 11.2.202.644 and earlier, contain an exploitable use-after-free vulnerability in the TextField class, tracked as CVE-2016-7892 and assigned CWE-416. The flaw carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and no required privileges, indicating remote code execution is possible under the right conditions.

An attacker can trigger the vulnerability by supplying specially crafted content that interacts with a TextField object, leading to arbitrary code execution on the affected system after the freed memory is reused. The attack requires user interaction such as visiting a malicious web page or opening a crafted document containing the vulnerable Flash component.

Vendor advisories referenced in the CVE entry, including those from openSUSE and Red Hat, direct administrators to apply the corresponding security updates that remediate the issue in supported Flash Player releases. No information on observed in-the-wild exploitation is provided in the source data.

EU & UK References

Vulnerability details

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary code execution.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player desktop runtime
≤ 23.0.0.207
adobe
flash player
≤ 23.0.0.207 · ≤ 23.0.0.207 · ≤ 23.0.0.207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor security updates that remediate the use-after-free flaw in Flash Player TextField.

prevent

Restricts execution of untrusted mobile code (Flash SWF content) that triggers the TextField use-after-free vulnerability.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player component when it is not required.

References