OpenSUSE Linux update for Adobe Flash Player
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 23 |
| CVE-ID | CVE-2016-0960 CVE-2016-0961 CVE-2016-0962 CVE-2016-0963 CVE-2016-0986 CVE-2016-0987 CVE-2016-0988 CVE-2016-0989 CVE-2016-0990 CVE-2016-0991 CVE-2016-0992 CVE-2016-0993 CVE-2016-0994 CVE-2016-0995 CVE-2016-0996 CVE-2016-0997 CVE-2016-0998 CVE-2016-0999 CVE-2016-1000 CVE-2016-1001 CVE-2016-1002 CVE-2016-1005 CVE-2016-1010 |
| CWE-ID | CWE-119 CWE-190 CWE-416 CWE-122 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #18 is available. Public exploit code for vulnerability #19 is available. Public exploit code for vulnerability #20 is available. Public exploit code for vulnerability #21 is available. Vulnerability #23 is being exploited in the wild. |
| Vulnerable software Subscribe |
Adobe AIR Client/Desktop applications / Multimedia software Adobe Flash Player Extended Support Release Client/Desktop applications / Multimedia software Adobe Flash Player for Linux Client/Desktop applications / Multimedia software Adobe Flash Player Client/Desktop applications / Plugins for browsers, ActiveX components |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 23 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU5725
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0960
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU5726
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0961
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU5727
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0962
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU5722
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0963
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory corruption
EUVDB-ID: #VU5728
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0986
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free error
EUVDB-ID: #VU5733
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0987
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free error
EUVDB-ID: #VU5734
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0988
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory corruption
EUVDB-ID: #VU5729
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0989
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free error
EUVDB-ID: #VU5735
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0990
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free error
EUVDB-ID: #VU5736
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0991
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Memory corruption
EUVDB-ID: #VU5730
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0992
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Integer overflow
EUVDB-ID: #VU5723
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0993
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free error
EUVDB-ID: #VU5737
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0994
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use-after-free error
EUVDB-ID: #VU5738
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0995
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Use-after-free error
EUVDB-ID: #VU5739
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-0996
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Use-after-free error
EUVDB-ID: #VU5740
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-0997
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
17) Use-after-free error
EUVDB-ID: #VU5741
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-0998
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Use-after-free error
EUVDB-ID: #VU5742
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-0999
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Use-after-free error
EUVDB-ID: #VU5743
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-1000
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
20) Heap-based buffer overflow
EUVDB-ID: #VU5724
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-1001
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
21) Memory corruption
EUVDB-ID: #VU5731
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-1002
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
22) Memory corruption
EUVDB-ID: #VU5732
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-1005
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Integer overflow
EUVDB-ID: #VU4644
Risk: Critical
CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2016-1010
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Note: the vulnerability was being actively exploited.
Mitigation
Update the affected packages.
Adobe AIR: 20.0.0.204 - 21.0.0.176
Adobe Flash Player: 20.0.0.228 - 21.0.0.182
Adobe Flash Player Extended Support Release: 18.0.0.268 - 18.0.0.333
Adobe Flash Player for Linux: 11.2.202.238 - 11.2.202.577
External linkshttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00024.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
