PatchSiren cyber security CVE debrief
CVE-2017-2988 Adobe CVE debrief
CVE-2017-2988 is an Adobe Flash Player memory corruption vulnerability tied to garbage collection. According to the NVD record, it affects Flash Player versions 24.0.0.194 and earlier in the listed Chrome, Edge, Internet Explorer, and desktop runtime deployment contexts. Successful exploitation could lead to arbitrary code execution. The CVE was published on 2017-02-15, and the NVD record was later modified on 2026-05-13.
- Vendor
- Adobe
- Product
- CVE-2017-2988
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-15
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-15
- Advisory updated
- 2026-05-13
Who should care
Security teams responsible for systems that still run Adobe Flash Player, especially legacy browser-integrated Flash deployments, should pay attention. Endpoint and application owners should also care if any supported or archived environment still exposes Flash Player versions at or below 24.0.0.194.
Technical summary
The source data describes an exploitable memory corruption issue occurring during garbage collection. NVD maps the weakness to CWE-787 and rates the issue CVSS 3.1 8.8 HIGH with network attack vector, low attack complexity, no privileges required, and required user interaction. The vulnerable CPE entries identify Adobe Flash Player variants for Chrome, Edge, Internet Explorer, and the desktop runtime, with affected versions ending at 24.0.0.194.
Defensive priority
High. The vulnerability has high impact potential and low complexity, but exploitation requires user interaction. Treat it as urgent anywhere Flash remains present or cannot be fully removed.
Recommended defensive actions
- Apply the Adobe security update referenced in the vendor advisory for APSB17-04.
- Inventory all systems and browser profiles that may still include Adobe Flash Player or Flash Player desktop runtime components.
- Remove or disable Flash Player wherever possible, especially in legacy browser-integrated environments.
- Verify version levels against the NVD affected-version boundary of 24.0.0.194 and earlier.
- Prioritize remediation on endpoints and applications that handle untrusted web content or user-supplied Flash content.
- Review detections and protections for memory-corruption exploitation attempts in affected environments.
Evidence notes
This debrief is based on the supplied NVD record and its referenced Adobe advisory. The record states: vulnerable Adobe Flash Player versions are 24.0.0.194 and earlier; the weakness is CWE-787; and the CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The source metadata also lists an Adobe vendor advisory, third-party advisories, and an exploit reference, but this summary does not rely on any details beyond the supplied metadata.
Official resources
-
CVE-2017-2988 CVE record
CVE.org
-
CVE-2017-2988 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Publicly published in the CVE/NVD record on 2017-02-15. The record was later modified on 2026-05-13; that modified date should not be treated as the original disclosure date.