Vulnerability Details : CVE-2018-15982
Public exploit exists!
Used for ransomware!
Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
Vulnerability category: Memory Corruption
Products affected by CVE-2018-15982
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:*
- cpe:2.3:a:adobe:flash_player_installer:*:*:*:*:*:*:*:*
CVE-2018-15982 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Adobe Flash Player Use-After-Free Vulnerability
CISA required action:
The impacted product is end-of-life and should be disconnected if still in use.
CISA description:
Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2018-15982
Added on
2022-02-15
Action due date
2022-08-15
Exploit prediction scoring system (EPSS) score for CVE-2018-15982
97.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15982
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-04 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2025-01-23 |
CWE ids for CVE-2018-15982
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2018-15982
-
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
Adobe Security BulletinPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/46051/
Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)Exploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/106116
Adobe Flash Player CVE-2018-15982 Use After Free Remote Code Execution VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:3795
RHSA-2018:3795 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to