PatchSiren cyber security CVE debrief
CVE-2017-2982 Adobe CVE debrief
CVE-2017-2982 is a high-severity Adobe Flash Player use-after-free vulnerability in a routine related to player shutdown. Adobe and NVD identify affected Flash Player builds as versions 24.0.0.194 and earlier, and the issue can lead to arbitrary code execution if successfully exploited. The NVD CVSS 3.1 vector shows network attack conditions with user interaction required.
- Vendor
- Adobe
- Product
- CVE-2017-2982
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-15
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-15
- Advisory updated
- 2026-05-13
Who should care
Organizations and users that still run Adobe Flash Player, including the Flash Player desktop runtime and browser-integrated Flash deployments listed in the NVD CPEs (Chrome, Edge, Internet Explorer). Security teams should treat this as important wherever legacy Flash components remain present.
Technical summary
NVD classifies the weakness as CWE-416 (use after free). The vulnerability is described as occurring in a routine related to player shutdown. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating remote reachability but requiring user interaction. NVD CPE entries mark Adobe Flash Player versions up to and including 24.0.0.194 as vulnerable for the listed Flash Player product variants.
Defensive priority
High priority. This is a remotely reachable, user-interaction-dependent code execution flaw in a widely deployed legacy product. Prioritize removal or patching of affected Flash Player installations and confirm that no vulnerable Flash runtime remains in supported or legacy environments.
Recommended defensive actions
- Apply the Adobe security update referenced by APSB17-04 for affected Flash Player installations.
- Remove or disable Adobe Flash Player wherever it is no longer required.
- Inventory systems for Flash Player desktop runtime and browser-integrated Flash instances listed in the NVD CPEs.
- Verify that installed Flash Player versions are newer than 24.0.0.194 or otherwise no longer present.
- Use browser and endpoint controls to block legacy Flash content until remediation is complete.
Evidence notes
The source corpus states that Adobe Flash Player versions 24.0.0.194 and earlier contain an exploitable use-after-free vulnerability related to player shutdown. NVD assigns CWE-416 and CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The NVD CPE criteria list Adobe Flash Player variants for Chrome, Edge, Internet Explorer, and the desktop runtime as vulnerable through 24.0.0.194. Adobe’s advisory APSB17-04 is referenced as the vendor patch reference in the NVD record.
Official resources
-
CVE-2017-2982 CVE record
CVE.org
-
CVE-2017-2982 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed on 2017-02-15 in the CVE/NVD record. The source metadata later shows a 2026-05-13 modified timestamp, but the vulnerability issue date should be treated as the original 2017 publication date.