CVE-2017-2990 Adobe CVE debrief

Who should care

Security teams managing Adobe Flash Player deployments, especially browser-integrated and desktop runtime installations. End users and administrators should also pay attention because exploitation requires user interaction and could lead to arbitrary code execution.

Technical summary

The supplied NVD record describes an exploitable memory corruption flaw in Flash Player's H.264 decompression path. The weakness is classified as CWE-787. Affected CPE criteria in the source corpus include Flash Player variants for Chrome, Edge, Internet Explorer, and the desktop runtime at version 24.0.0.194 and earlier.

Defensive priority

High. The supplied data does not list this CVE in CISA KEV, but the combination of remote attack surface, user interaction requirement, and possible arbitrary code execution justifies prompt patching and exposure review.

Recommended defensive actions

• Apply the Adobe security update referenced in APSB17-04 to all affected Flash Player installations.
• Inventory Flash Player deployments, including browser-integrated copies in Chrome, Edge, and Internet Explorer, plus desktop runtime installs.
• Prioritize remediation on systems that still allow Flash content or rely on legacy applications.
• Use vendor and third-party advisories from Adobe, Red Hat, and Gentoo to confirm package-specific remediation steps.
• Verify that systems no longer report Flash Player versions 24.0.0.194 or earlier.

Evidence notes

The supplied NVD record shows CVE-2017-2990 published on 2017-02-15 and modified on 2026-05-13. It references Adobe's APSB17-04 advisory, third-party advisories from Red Hat and Gentoo, and maps the weakness to CWE-787. The vulnerable CPE criteria in the source corpus specifically mark Flash Player versions 24.0.0.194 and earlier as affected.

Official resources