Vulnerability Details : CVE-2016-7855
Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.
Vulnerability category: Memory CorruptionExecute code
Products affected by CVE-2016-7855
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:linux:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer:*:*
CVE-2016-7855 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Adobe Flash Player Use-After-Free Vulnerability
CISA required action:
The impacted product is end-of-life and should be disconnected if still in use.
CISA description:
Use-after-free vulnerability in Adobe Flash Player Windows and OS and Linux allows remote attackers to execute arbitrary code.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2016-7855
Added on
2022-03-03
Action due date
2022-03-24
Exploit prediction scoring system (EPSS) score for CVE-2016-7855
11.87%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-7855
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2016-7855
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-7855
-
https://security.gentoo.org/glsa/201610-10
Adobe Flash Player: Multiple vulnerabilities (GLSA 201610-10) — Gentoo securityThird Party Advisory
-
http://www.securitytracker.com/id/1037111
Adobe Flash Player Use-After-Free Memory Error Lets Remote Users Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-128
Microsoft Security Bulletin MS16-128 - Critical | Microsoft DocsPatch;Vendor Advisory
-
http://www.securityfocus.com/bid/93861
Adobe Flash Player CVE-2016-7855 Use After Free Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
Google Online Security Blog: Disclosing vulnerabilities to protect usersThird Party Advisory
-
https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
Adobe Security BulletinPatch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2119.html
RHSA-2016:2119 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to