CVE-2018-15982
Published: 18 January 2019
Summary
CVE-2018-15982 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Flash Player versions 31.0.0.153 and earlier, along with versions 31.0.0.108 and earlier, contain a use-after-free vulnerability identified as CVE-2018-15982 and assigned CWE-416. The flaw resides in the Flash Player component and can result in arbitrary code execution when triggered, with a CVSS 3.1 score of 7.8 reflecting high impact across confidentiality, integrity, and availability.
Exploitation requires local access with low complexity and no privileges, but depends on user interaction such as opening a malicious file. An attacker who succeeds can execute arbitrary code on the target system.
Adobe security bulletin APSB18-42 and the associated Red Hat errata RHSA-2018:3795 describe the availability of patches that remediate the issue in supported Flash Player releases.
Public proof-of-concept code for the vulnerability has been posted to Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-7838
Vulnerability details
Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches (APSB18-42) that eliminate the use-after-free flaw before exploitation can occur.
Enforces removal or disabling of the vulnerable Flash Player component, eliminating the attack surface that the CVE exploits.
Restricts or blocks execution of untrusted mobile code (Flash) that triggers the use-after-free vulnerability via malicious files.