CVE-2016-7892
Published: 15 December 2016
Summary
CVE-2016-7892 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions 23.0.0.207 and earlier, along with 11.2.202.644 and earlier, contain an exploitable use-after-free vulnerability in the TextField class, tracked as CVE-2016-7892 and assigned CWE-416. The flaw carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and no required privileges, indicating remote code execution is possible under the right conditions.
An attacker can trigger the vulnerability by supplying specially crafted content that interacts with a TextField object, leading to arbitrary code execution on the affected system after the freed memory is reused. The attack requires user interaction such as visiting a malicious web page or opening a crafted document containing the vulnerable Flash component.
Vendor advisories referenced in the CVE entry, including those from openSUSE and Red Hat, direct administrators to apply the corresponding security updates that remediate the issue in supported Flash Player releases. No information on observed in-the-wild exploitation is provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-8741
Vulnerability details
Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor security updates that remediate the use-after-free flaw in Flash Player TextField.
Restricts execution of untrusted mobile code (Flash SWF content) that triggers the TextField use-after-free vulnerability.
Enforces least functionality by disabling or removing the vulnerable Flash Player component when it is not required.