CVE-2018-4878
Published: 06 February 2018
Summary
CVE-2018-4878 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability, tracked as CVE-2018-4878 and assigned CWE-416, affects Adobe Flash Player versions prior to 28.0.0.161. It stems from a dangling pointer in the Primetime SDK during media player handling of listener objects, which can be triggered to permit arbitrary code execution. The flaw carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
An attacker can exploit the issue locally without authentication, provided the victim interacts with malicious content such as a crafted document or web page. Successful exploitation grants full control over the affected process, enabling the attacker to execute arbitrary code with the same privileges as the Flash Player instance.
The vulnerability was actively exploited in the wild during January and February 2018, including in targeted campaigns attributed to Group 123 and large-scale malspam operations. Public references such as the Talos Intelligence report, Morphisec analysis, Red Hat RHSA-2018:0285, and vendor security trackers document these incidents and point to updated Flash Player releases as the primary remediation path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-16663
Vulnerability details
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution.…
more
This was exploited in the wild in January and February 2018.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the use-after-free flaw in Flash Player.
Establishes usage restrictions and implementation guidance for mobile code technologies such as Flash, blocking the attack vector before malicious SWF content executes.
Enforces least functionality by disabling or removing the vulnerable Flash Player component when it is not an explicitly authorized business requirement.