What is the CVSS score of CVE-2016-4117?

CVE-2016-4117 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 92.8%.

Which versions of Adobe Flash Player are affected by CVE-2016-4117?

CVE-2016-4117 is a critical remote code execution vulnerability in Adobe Flash Player affecting versions 21.0.0.226 and earlier, with confirmed active exploitation by threat actors as documented in…

Is there a public PoC exploit available for CVE-2016-4117?

Yes, a public proof-of-concept exploit is available for CVE-2016-4117. Prioritise patching immediately. EPSS: 92.8%.

How to fix or mitigate CVE-2016-4117?

Within 24 hours: Inventory all systems running Adobe Flash Player, prioritizing internet-facing and user-facing endpoints; disable Flash in all browsers via Group Policy or browser settings if immediate patching is not feasible. Within 7 days: Upgrade Adobe Flash Player to version 21.0.0.239 or later (or apply APSB16-15 patch); validate patch deployment across 100% of assets. Within 30 days: Develop Flash deprecation strategy and timeline; evaluate replacing Flash-dependent applications with modern alternatives; consider organizational timeline for complete Flash removal.

Adobe Flash Player CVE-2016-4117

CRITICAL

2016-05-11 psirt@adobe.com

Adobe RCE

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 15:32 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Nov 17, 2025 - 20:15 cisa

CISA KEV

PoC Detected

Nov 17, 2025 - 20:15 vuln.today

Public exploit code

CVE Published

May 11, 2016 - 01:59 nvd

CRITICAL 9.8

DescriptionCVE.org

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.

AnalysisAI

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute arbitrary code without user interaction. Confirmed actively exploited (CISA KEV) in May 2016 with public exploit code available. EPSS score of 92.76% (100th percentile) reflects the extreme likelihood of exploitation. This was a critical zero-day vulnerability used in targeted attacks before Adobe released emergency patches in APSA16-02 and APSB16-15.

Technical ContextAI

Adobe Flash Player is a deprecated multimedia runtime that executed ActionScript and rendered SWF content within web browsers and applications. The CPE data identifies the vulnerability affecting the Flash Player ActiveX control, NPAPI plugin, and Pepper API implementations across Windows, macOS, Linux, and ChromeOS platforms. Multiple CPE entries also indicate impacts to enterprise distributions including Red Hat Enterprise Linux 5/6 desktop, server, and workstation variants, plus OpenSUSE Evergreen 11.4, demonstrating the widespread deployment footprint. Without specific CWE classification, the root cause class remains unspecified in public data, though the 'unspecified vectors' language in the description combined with emergency patching suggests exploitation of a previously unknown code execution primitive in the Flash runtime, possibly related to ActionScript VM vulnerabilities, use-after-free conditions, or type confusion issues that were common in Flash Player vulnerabilities during this period.

RemediationAI

Vendor-released patch: Adobe Flash Player 21.0.0.242 for Desktop Runtime, Extended Support Release 18.0.0.352, and corresponding versions for all browser plugins as documented in APSB16-15. Organizations should immediately upgrade to the patched versions using Adobe's distribution channels or enterprise update mechanisms. Red Hat Enterprise Linux users should apply RHSA-2016-1079 via yum/dnf package managers. OpenSUSE users should apply security updates from announcements SUSE-SU-2016:1305, 1306, 1307, and 1308. Given Flash Player's end-of-life status (December 2020), the strongest long-term mitigation is complete Flash Player removal from all systems, which eliminates entire attack surface with no operational trade-offs for modern web applications. For legacy systems requiring Flash for specific business applications, implement strict application whitelisting allowing only trusted SWF content, deploy browser isolation technologies to sandbox Flash execution, and block Flash content at network perimeter using web proxies or content filters configured to drop .swf files and Flash MIME types. Network segmentation should isolate any systems requiring legacy Flash from internet-facing networks. These compensating controls significantly reduce attack surface but introduce operational complexity and may break legitimate functionality requiring case-by-case business justification.