CVE-2017-2996 Adobe CVE debrief

Who should care

Security and patch management teams responsible for Adobe Flash Player deployments, especially installations integrated into Chrome, Edge, Internet Explorer, or the standalone desktop runtime. Endpoint teams should prioritize any systems that still expose Flash Player at or below the affected version range.

Technical summary

The NVD record classifies this issue as CWE-787 (out-of-bounds write) with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The supplied CPE data marks Adobe Flash Player versions through 24.0.0.194 as vulnerable across browser-integrated and desktop runtime variants. The vendor-facing reference is Adobe security bulletin APSB17-04.

Defensive priority

High

Recommended defensive actions

• Use Adobe APSB17-04 as the primary remediation reference and verify the affected systems have been updated according to vendor guidance.
• Inventory Adobe Flash Player installations and confirm no instances remain at version 24.0.0.194 or earlier.
• Check browser-integrated Flash deployments in Chrome, Edge, and Internet Explorer as well as the standalone Flash Player desktop runtime.
• Prioritize remediation on endpoints where Flash is still enabled or reachable by users.
• Remove or disable Flash Player where it is no longer required, and confirm the change across managed systems.

Evidence notes

The supplied NVD record lists CVSS 8.8 with vector AV:N/AC:L/PR:N/UI:R and CWE-787. Its CPE criteria mark Adobe Flash Player versions ending in 24.0.0.194 as vulnerable for Chrome, Edge, Internet Explorer, and the desktop runtime. The Adobe-linked vendor advisory APSB17-04 is included as the patch reference. No KEV entry was supplied in the enrichment.

Official resources