CVE-2016-1013

HIGH

Adobe Flash Player < 18.0.0.343, 19.x-21.x < 21.0.0.213, < 11.2.202.616 - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1013. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit targets a use-after-free vulnerability in Adobe Flash Player, triggered by rendering multiple scripts. The PoC is unreliable and may require extended rendering time to crash the browser, but the underlying bug is confirmed in debug builds.

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1011, CVE-2016-1016, CVE-2016-1017, and CVE-2016-1031.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdoswindows
https://www.exploit-db.com/exploits/39778

This exploit targets a use-after-free vulnerability in Adobe Flash Player, triggered by rendering multiple scripts. The PoC is unreliable and may require extended rendering time to crash the browser, but the underlying bug is confirmed in debug builds.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Adobe Flash Player (version not specified)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/85926
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0610.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39778/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035509
Patch, Third Party Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-050

Scores

CVSS v3 8.8
EPSS 0.2281
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (7)
adobe/air_desktop_runtime < 21.0.0.176
adobe/air_sdk < 21.0.0.176
adobe/air_sdk_\&_compiler < 21.0.0.176
adobe/flash_player < 11.2.202.577
adobe/flash_player < 18.0.0.333
adobe/flash_player < 21.0.0.197 (3 CPE variants)
adobe/flash_player_desktop_runtime < 21.0.0.197
Published Apr 09, 2016
Tracked Since Feb 18, 2026