Cyber Resilience

CVE-2018-5002

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 July 2018

Published
09 July 2018
Modified
18 November 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4714 97.8th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-5002 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions 29.0.0.171 and earlier contain a stack-based buffer overflow vulnerability, tracked as CVE-2018-5002 and assigned CWE-787 and CWE-121. The flaw resides in the Flash Player component and carries a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability when triggered.

An attacker with the ability to supply a malicious Flash file can exploit the issue when the file is opened locally by a user. Successful exploitation grants arbitrary code execution in the context of the current user without requiring elevated privileges, although user interaction is necessary to initiate the attack.

Adobe addressed the vulnerability in security bulletin APSB18-19, and corresponding updates are available through vendor channels such as Red Hat RHSA-2018:1827 and Gentoo GLSA-201806-02. Practitioners should apply the latest Flash Player patches and remove or disable the plugin where it is no longer required.

EU & UK References

Vulnerability details

Adobe Flash Player versions 29.0.0.171 and earlier have a Stack-based buffer overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player desktop runtime
≤ 29.0.0.171
adobe
flash player
≤ 29.0.0.171 · ≤ 29.0.0.171 · ≤ 29.0.0.171
redhat
enterprise linux desktop
6.0
redhat
enterprise linux server
6.0
redhat
enterprise linux workstation
6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches (APSB18-19) that eliminate the stack buffer overflow in Flash Player.

prevent

Enforces removal or disabling of the Flash Player plugin when it is no longer required, eliminating the vulnerable attack surface.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code (Flash SWF files) that an attacker supplies to trigger the buffer overflow.

References