CVE-2016-4117

CRITICAL KEV RANSOMWARE

Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2016-4117 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, amit-raut, Genwei Jiang, bcook-r7, including a Metasploit module exploits/osx/browser/adobe_flash_delete_range_tl_op.

AI-analyzed exploit summary This Metasploit module exploits a type confusion vulnerability in Adobe Flash Player (CVE-2016-4117) to achieve remote code execution on macOS systems. It delivers a malicious SWF file via a crafted HTML page, targeting specific versions of Flash Player on Safari or Firefox.

Description

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteosx
https://www.exploit-db.com/exploits/46339

This Metasploit module exploits a type confusion vulnerability in Adobe Flash Player (CVE-2016-4117) to achieve remote code execution on macOS systems. It delivers a malicious SWF file via a crafted HTML page, targeting specific versions of Flash Player on Safari or Firefox.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player <= 21.0.0.182
No auth needed
Prerequisites: Victim must visit a malicious webpage · Adobe Flash Player <= 21.0.0.182 installed · macOS environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by amit-raut · poc
https://github.com/amit-raut/CVE-2016-4117-Report

This repository provides a detailed technical analysis of CVE-2016-4117, a critical Adobe Flash Player vulnerability. It includes root cause analysis, exploitation steps, and mitigation strategies but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Adobe Flash Player 21.0.0.226 and earlier
No auth needed
Prerequisites: Victim opens a malicious MS Office document with embedded Flash content · Adobe Flash Player 21.0.0.226 or earlier installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WRITEUP
by amit-raut · poc
https://gitlab.com/amit-raut/CVE-2016-4117-Report

This repository provides a detailed technical analysis of CVE-2016-4117, a critical vulnerability in Adobe Flash Player. It explains the exploitation process, including memory corruption via conflicting property names and ByteArray manipulation, but does not include functional exploit code.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Adobe Flash Player 21.0.0.226 and earlier
No auth needed
Prerequisites: Victim opens a malicious MS Office document with embedded Flash content · Adobe Flash Player 21.0.0.226 or earlier installed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
metasploit WORKING POC GREAT
by Genwei Jiang, bcook-r7 · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb

This Metasploit module exploits a type confusion vulnerability in Adobe Flash Player (CVE-2016-4117) by delivering a malicious SWF file via a crafted HTML page. It targets macOS systems with vulnerable Flash versions (≤21.0.0.182) and executes arbitrary payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player ≤21.0.0.182
No auth needed
Prerequisites: Vulnerable Adobe Flash Player version · User interaction to visit malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201606-08
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00047.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035826
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46339/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00046.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/90505
Broken Link, Vendor Advisory x_refsource_confirm
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1079.html

Scores

CVSS v3 9.8
EPSS 0.9296
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2016-05-08
InTheWild.io 2016-05-08
ENISA EUVD EUVD-2016-5118
Ransomware Use Confirmed
Status published
Products (14)
adobe/flash_player < 21.0.0.226
opensuse/evergreen 11.4
opensuse/opensuse 13.1
opensuse/opensuse 13.2
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 5.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_server_from_rhui 5.0
redhat/enterprise_linux_server_from_rhui 6.0
... and 4 more
Published May 11, 2016
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026