CVE-2017-11292

HIGH KEV

Adobe Flash Player Desktop Runtime < 27.0.0.159 - Type Confusion

Title source: rule

Description

Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.

References (6)

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101286

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039582

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2899

[Patch, Vendor Advisory] https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

[Third Party Advisory] https://security.gentoo.org/glsa/201710-22

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11292

Scores

CVSS v3 8.8

EPSS 0.3362

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-03

VulnCheck KEV 2017-10-10

InTheWild.io 2017-10-10

ENISA EUVD EUVD-2017-2926

CWE

CWE-843

Status published

Products (7)

adobe/flash_player < 27.0.0.130 (2 CPE variants)

adobe/flash_player < 27.0.0.159

adobe/flash_player_desktop_runtime < 27.0.0.159

n/a/Adobe Flash Player version 27.0.0.159 and earlier Adobe Flash Player version 27.0.0.159 and earlier

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_workstation 6.0

Published Oct 22, 2017

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026