PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-2992 Adobe CVE debrief

CVE-2017-2992 is a high-severity Adobe Flash Player memory corruption issue. According to NVD and Adobe-linked references, parsing an MP4 header can trigger a heap overflow in affected Flash Player versions 24.0.0.194 and earlier, and successful exploitation could lead to arbitrary code execution.

Vendor
Adobe
Product
CVE-2017-2992
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Teams responsible for legacy Flash deployments, browser-bundled Flash integrations, desktop runtime installs, and vulnerability management should treat this as a priority if any affected versions remain in use.

Technical summary

NVD classifies the issue as CWE-787 and assigns a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network exposure, no privileges required, and user interaction needed. The affected scope in the NVD CPE criteria includes Adobe Flash Player desktop runtime and browser integrations for Chrome, Edge, and Internet Explorer, with vulnerable versions ending at 24.0.0.194.

Defensive priority

High for any environment that may still contain affected Flash Player installations; validate and remediate quickly because the issue is remotely reachable and has full confidentiality, integrity, and availability impact if exploited.

Recommended defensive actions

  • Apply the Adobe Flash Player update referenced by APSB17-04 and any downstream vendor updates linked in the NVD record.
  • Inventory all systems and browsers for Flash Player desktop runtime and bundled/browser-integrated Flash components.
  • Verify installed Flash versions are newer than 24.0.0.194 where Flash remains present.
  • Review exposure in legacy browser stacks that match the affected CPEs (Chrome, Edge, Internet Explorer integrations).
  • Treat legacy third-party advisories and mirror references as informational; use the vendor patch as the remediation source of truth.
  • Prioritize removal or retirement of any remaining vulnerable Flash installations from production and user endpoints.

Evidence notes

The source corpus identifies Adobe as the vendor, with the NVD record showing CVE publication on 2017-02-15 and modification on 2026-05-13. NVD lists the affected product as Adobe Flash Player versions through 24.0.0.194 for desktop runtime and browser integrations, and links Adobe APSB17-04 as the vendor patch reference. The record also includes a third-party exploit reference and third-party advisories, while marking some legacy references as broken-link entries in its metadata.

Official resources

Published by CVE/NVD on 2017-02-15. The provided corpus does not list a KEV entry. Adobe's APSB17-04 is the linked vendor patch reference in the source metadata.