PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-2986 Adobe CVE debrief

CVE-2017-2986 is a high-severity Adobe Flash Player memory corruption issue in the Flash Video (FLV) codec. NVD describes it as an exploitable heap overflow that could lead to arbitrary code execution, with a CVSS 3.1 score of 8.8 and attack vector/network plus user interaction required. Adobe’s advisory APSB17-04 and the NVD record indicate affected Flash Player builds at or below 24.0.0.194 across browser-integrated and desktop runtime variants.

Vendor
Adobe
Product
CVE-2017-2986
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Security teams and administrators responsible for systems that still had Adobe Flash Player deployed in browsers or as a desktop runtime, especially environments using Chrome, Edge, Internet Explorer, or the standalone Flash Player runtime listed in the NVD CPEs.

Technical summary

The weakness is mapped to CWE-787 and is described in the source corpus as a heap overflow in the FLV codec. The NVD vector shows network-based delivery, low attack complexity, no privileges required, and user interaction required, with potential impact to confidentiality, integrity, and availability. The affected version range in the NVD data is Flash Player 24.0.0.194 and earlier for the listed Flash Player CPEs.

Defensive priority

High. The combination of remote delivery, user interaction, and potential arbitrary code execution makes this a priority for environments where Flash remained installed at the time of disclosure.

Recommended defensive actions

  • Upgrade or remove Adobe Flash Player on all affected systems, including browser-integrated and desktop runtime deployments.
  • Validate that versions at or below 24.0.0.194 are no longer present in the environment.
  • Use the Adobe security advisory APSB17-04 as the primary remediation reference and confirm vendor guidance was applied.
  • If Flash cannot be removed immediately in a legacy environment, restrict exposure by minimizing access to affected browsers and endpoints.
  • Treat the issue as a code-execution risk and prioritize remediation on internet-facing or user-facing systems first.

Evidence notes

The NVD record lists the flaw as an exploitable heap overflow in the FLV codec, assigns CWE-787, and provides CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The record’s references include Adobe’s APSB17-04 advisory, third-party advisories, and an Exploit-DB entry. The supplied CPE criteria mark Flash Player variants in Chrome, Edge, Internet Explorer, and the desktop runtime as vulnerable at versions up to and including 24.0.0.194.

Official resources

Publicly disclosed on 2017-02-15 per the supplied CVE and NVD timestamps; Adobe’s APSB17-04 advisory is referenced in the NVD record as the patch source.