PatchSiren cyber security CVE debrief

CVE-2017-2994 Adobe CVE debrief

CVE-2017-2994 is a high-severity Adobe Flash Player vulnerability involving a use-after-free in Primetime SDK event dispatch. The issue was publicly disclosed on 2017-02-15 and, if successfully triggered, could allow arbitrary code execution. The supplied corpus shows the vulnerability affecting multiple Flash Player variants and browser-integrated deployments, with a user interaction requirement in the CVSS vector.

Vendor: Adobe
Product: CVE-2017-2994
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Security teams supporting systems that still run Adobe Flash Player, especially desktop runtime or browser-integrated Flash deployments (Chrome, Edge, Internet Explorer). Prioritize environments where users can open untrusted content that may invoke Flash.

Technical summary

The NVD record classifies the weakness as CWE-416 (Use After Free). The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network-reachable exploitation with no privileges required but with user interaction. The vulnerability is described as an exploitable use-after-free in Primetime SDK event dispatch, and successful exploitation could lead to arbitrary code execution. The corpus includes Adobe’s vendor advisory reference and NVD CPEs for affected Flash Player variants.

Defensive priority

High

Recommended defensive actions

Apply Adobe’s security update referenced by APSB17-04 and verify all Flash Player installations are on a non-vulnerable release.
Inventory browser-integrated and standalone Flash Player deployments, including Chrome, Edge, Internet Explorer, and desktop runtime variants listed in the NVD CPEs.
Restrict or disable Flash where operationally possible, especially on systems exposed to untrusted web or document content.
Treat user-facing endpoints as highest priority because exploitation requires user interaction.
Use the supplied vendor and third-party references to confirm remediation status across downstream packaging and enterprise software inventories.

Evidence notes

Primary evidence comes from the official NVD record and the Adobe vendor advisory reference (APSB17-04). The NVD description identifies a use-after-free in Primetime SDK event dispatch and the CVSS vector requires user interaction. The corpus also contains a version-range discrepancy: the description states Flash Player 24.0.0.194 and earlier, while NVD CPE entries list affected variants through 24.0.0.221 for several deployments. Original CVE publication date is 2017-02-15; the later NVD modification date is 2026-05-13 and should not be treated as the disclosure date.

Official resources

CVE-2017-2994 CVE record
CVE.org
CVE-2017-2994 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Not Applicable, Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly disclosed on 2017-02-15. The supplied enrichment does not mark this CVE as KEV, and no ransomware campaign use is indicated in the corpus. NVD was later modified on 2026-05-13.