CVE-2017-2991 Adobe CVE debrief

Who should care

Security teams, endpoint administrators, and browser/application owners that still manage Adobe Flash Player deployments should treat this as urgent, especially where Flash was used in Internet Explorer, Edge, Chrome, or the standalone desktop runtime listed by NVD. Systems exposed to untrusted web or media content are the most relevant defensive scope because the CVSS vector includes user interaction.

Technical summary

The NVD record classifies the weakness as CWE-787 and describes exploitable memory corruption in Flash Player's h264 codec related to decompression. The affected builds are Adobe Flash Player versions 24.0.0.194 and earlier, with vulnerable CPE entries covering browser-integrated variants and the desktop runtime. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network-reachable exploitation that requires user interaction and can have full confidentiality, integrity, and availability impact.

Defensive priority

High. The combination of user interaction, broad impact, and an Adobe patch reference makes this a priority patching and exposure-reduction item for any environment that still had Flash installed at the time of disclosure.

Recommended defensive actions

• Apply Adobe's security update referenced in APSB17-04 and move any Flash deployment beyond version 24.0.0.194.
• Inventory systems for Adobe Flash Player browser integrations and standalone desktop runtime installations identified in the NVD CPE list.
• Remove or disable Flash where it is no longer required, especially on user-facing endpoints that open untrusted web content.
• Validate that browsers and managed endpoints are receiving the patched Flash build through central software management.
• Use heightened monitoring around systems that process suspicious Flash or media content, focusing on crash and instability indicators consistent with memory corruption.

Evidence notes

This debrief is based only on the supplied NVD CVE record, which states the affected version range, vulnerability class, and CVSS vector, plus the Adobe vendor advisory URL embedded in the NVD references. The record also includes third-party advisories and two legacy references marked as broken links; no claim is made beyond what is explicitly present in the corpus.

Official resources