Cyber Resilience

CVE-2017-11292

HighCISA KEVActive ExploitationEUVD Exploited

Published: 22 October 2017

Published
22 October 2017
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3436 97.1th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11292 is a high-severity Type Confusion (CWE-843) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 27.0.0.159 and earlier contain a flawed bytecode verification procedure that permits an untrusted value to be used when calculating an array index. This flaw produces a type confusion condition, tracked as CWE-843, that can be leveraged for arbitrary code execution. The vulnerability carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and no required privileges.

An attacker can deliver malicious Flash content over the network that triggers the issue when rendered by the affected player. Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the current user, provided the victim interacts with the content.

Adobe addressed the issue in security bulletin APSB17-32, and corresponding updates were issued through Red Hat (RHSA-2017:2899), Gentoo (GLSA-201710-22), and other distribution channels. Practitioners should apply the vendor-supplied Flash Player updates immediately and consider disabling or removing the plugin where Flash usage is no longer required.

EU & UK References

Vulnerability details

Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead…

more

to arbitrary code execution.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player desktop runtime
≤ 27.0.0.159
adobe
flash player
≤ 27.0.0.130 · ≤ 27.0.0.130 · ≤ 27.0.0.159
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor-supplied Flash Player patches that correct the bytecode verification flaw.

prevent

Mandates disabling or removing the Flash Player plugin when its use is no longer required, eliminating the attack surface.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and implementation guidance for mobile code technologies such as Flash.

References