Cyber Resilience

CVE-2018-15982

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 18 January 2019

Published
18 January 2019
Modified
17 November 2025
KEV Added
15 February 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9361 99.8th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-15982 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 31.0.0.153 and earlier, along with versions 31.0.0.108 and earlier, contain a use-after-free vulnerability identified as CVE-2018-15982 and assigned CWE-416. The flaw resides in the Flash Player component and can result in arbitrary code execution when triggered, with a CVSS 3.1 score of 7.8 reflecting high impact across confidentiality, integrity, and availability.

Exploitation requires local access with low complexity and no privileges, but depends on user interaction such as opening a malicious file. An attacker who succeeds can execute arbitrary code on the target system.

Adobe security bulletin APSB18-42 and the associated Red Hat errata RHSA-2018:3795 describe the availability of patches that remediate the issue in supported Flash Player releases.

Public proof-of-concept code for the vulnerability has been posted to Exploit-DB.

EU & UK References

Vulnerability details

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 31.0.0.153 · ≤ 31.0.0.153 · ≤ 31.0.0.153
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0
adobe
flash player installer
≤ 31.0.0.108

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches (APSB18-42) that eliminate the use-after-free flaw before exploitation can occur.

prevent

Enforces removal or disabling of the vulnerable Flash Player component, eliminating the attack surface that the CVE exploits.

SC-18 Mobile Code partial match
prevent

Restricts or blocks execution of untrusted mobile code (Flash) that triggers the use-after-free vulnerability via malicious files.

References