CVE-2016-4135

HIGH

Adobe Flash Player <=21.0.0.242 - Exploit-Referenced Impact Unknown

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4135. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a heap overflow vulnerability in Adobe's ATF (Adobe Texture Format) processing, specifically when decompressing alphas in images with a height of 1 pixel. The PoC requires hosting a malicious SWF and PNG file on a server to trigger the overflow when visited.

Description

Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosmultiple
https://www.exploit-db.com/exploits/40087

This exploit leverages a heap overflow vulnerability in Adobe's ATF (Adobe Texture Format) processing, specifically when decompressing alphas in images with a height of 1 pixel. The PoC requires hosting a malicious SWF and PNG file on a server to trigger the overflow when visited.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe Flash Player (versions affected by CVE-2016-4135)
No auth needed
Prerequisites: Hosting malicious SWF and PNG files on a server · Victim visits the crafted URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036117
Patch, Third Party Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-083
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00038.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40087/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1238
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00035.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00031.html

Scores

CVSS v3 8.8
EPSS 0.1654
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (15)
adobe/flash_player
adobe/flash_player < 11.2.202.621
adobe/flash_player < 18.0.0.352
adobe/flash_player < 21.0.0.242 (3 CPE variants)
adobe/flash_player_desktop_runtime < 21.0.0.242
opensuse/opensuse 13.1
opensuse/opensuse 13.2
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 5.0
... and 5 more
Published Jun 16, 2016
Tracked Since Feb 18, 2026