CVE-2018-4878

HIGH
2018-02-06 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
PoC Detected
Nov 18, 2025 - 17:03 vuln.today
Public exploit code
Added to CISA KEV
Nov 18, 2025 - 17:03 cisa
CISA KEV
CVE Published
Feb 06, 2018 - 21:29 nvd
HIGH 7.8

Description

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.

Analysis

Adobe Flash Player contains a use-after-free vulnerability in the Primetime SDK's media player listener handling, exploited as a zero-day in January-February 2018 by North Korean APT groups in targeted attacks.

Technical Context

The CWE-416 use-after-free occurs when the Primetime SDK's media player frees a listener object while still referenced. Accessing the dangling pointer allows attackers to control execution flow through heap manipulation.

Affected Products

['Adobe Flash Player before 28.0.0.161 (all platforms)']

Remediation

Flash Player is end-of-life. Remove completely from all systems. This vulnerability accelerated the industry consensus to deprecate Flash.

Priority Score

69
Low Medium High Critical
KEV: +50
EPSS: +93.4
CVSS: +39
POC: +20

Share

CVE-2018-4878 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy