CVE-2017-11292

HIGH KEV

Adobe Flash Player <= 27.0.0.159 - Remote Code Execution via Bytecode Verification Flaw

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-11292 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022.

Description

Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.

References (6)

Core 6
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039582
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201710-22
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101286
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2899

Scores

CVSS v3 8.8
EPSS 0.3436
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2017-10-10
InTheWild.io 2017-10-10
ENISA EUVD EUVD-2017-2926
CWE
CWE-843
Status published
Products (7)
adobe/flash_player < 27.0.0.130 (2 CPE variants)
adobe/flash_player < 27.0.0.159
adobe/flash_player_desktop_runtime < 27.0.0.159
n/a/Adobe Flash Player version 27.0.0.159 and earlier Adobe Flash Player version 27.0.0.159 and earlier
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_workstation 6.0
Published Oct 22, 2017
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026