CVE-2018-4878

CVE-2018-4878 is a high-severity vulnerability in Adobe Flash Player with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.

Key facts

Description

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.

CVE-2018-4878: Adobe Flash Player Use-After-Free Arbitrary Code Execution Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2018-4878
CWE CWE-416 (Use-After-Free)
CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS v3 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
EPSS 0.89618 (99.77th percentile)
KEV Listed in CISA KEV (added 2021-11-03)
EU Exploited Yes (since 2021-11-03)
Affected Adobe Flash Player before 28.0.0.161
Patched Adobe Flash Player 28.0.0.161

Summary

A use-after-free vulnerability in Adobe Flash Player before version 28.0.0.161 allows attackers to execute arbitrary code. The flaw resides in the Primetime SDK, where a dangling pointer related to media player listener object handling can be leveraged for memory corruption. This vulnerability was actively exploited in the wild during January and February 2018.

Background

Adobe Flash Player was a widely deployed browser plugin and runtime for multimedia and rich Internet applications. Despite gradual deprecation, it remained a high-value target for attackers due to its ubiquity and complex codebase. In early 2018, security researchers identified in-the-wild exploitation of a zero-day vulnerability in Flash Player, later assigned CVE-2018-4878. The vulnerability was leveraged by threat actors in targeted attacks and mass malspam campaigns.

Root Cause

CWE-416: Use-After-Free

The vulnerability stems from a dangling pointer in the Adobe Flash Player Primetime SDK. Specifically, when the media player handles listener objects, a pointer to an object may remain accessible after the object has been freed. An attacker who can trigger this condition can corrupt memory and gain control of execution flow. The use-after-free occurs because the application fails to properly invalidate or clear references to freed memory during listener object lifecycle transitions.

Impact

The CVSS v2 base score of 7.5 reflects a network-accessible, low-complexity attack requiring no authentication, yielding partial impacts across confidentiality, integrity, and availability. The CVSS v3 score of 7.8 (HIGH) accounts for local attack vector (via user execution), but emphasizes the severe consequences: high confidentiality, integrity, and availability impacts. Successful exploitation leads to arbitrary code execution in the context of the Flash Player process, which typically runs with the privileges of the logged-in user.

Exploitation Walkthrough

Ethics Note: This section describes the attack from a defensive and forensic perspective. No weaponized exploit code or step-by-step reproduction instructions are provided.

Threat actors typically delivered exploitation via malicious Microsoft Office documents with embedded Adobe Flash content. When a victim opened the document, the embedded Flash object loaded and triggered the use-after-free condition in the Primetime SDK listener handling. Memory corruption was then leveraged to achieve arbitrary code execution within the Flash process. In observed campaigns, this initial access was used to download and execute secondary payloads.

Defensive analysts should look for:

  • Office documents containing unexpected or obfuscated embedded Flash objects.
  • Process memory anomalies in Flash Player or browser plugin containers.
  • Network connections initiated by Office applications or Flash processes to suspicious domains.

Affected and Patched Versions

Affected:

  • Adobe Flash Player versions prior to 28.0.0.161
  • Adobe Flash Player for Edge, Internet Explorer 11, and Chrome (bundled versions) prior to 28.0.0.161
  • Red Hat Enterprise Linux 6 Desktop, Server, and Workstation (Flash Player plugin packages)

Patched:

  • Adobe Flash Player 28.0.0.161 and later

Remediation

  1. Upgrade: Update Adobe Flash Player to version 28.0.0.161 or later. Adobe released APSB18-03 to address this vulnerability.
  2. Disable or Remove Flash: Since Adobe Flash Player reached end-of-life in December 2020, the strongest compensating control is complete removal or disablement of the Flash Player plugin and ActiveX control.
  3. Browser Hardening: Block Flash content in browsers and email clients; disable automatic execution of embedded objects in Microsoft Office.
  4. Application Whitelisting: Restrict execution of untrusted Office documents and browser plugins to reduce attack surface.

Detection

  • Monitor for Flash Player processes spawned by Microsoft Office applications (e.g., winword.exe launching Flash-related processes).
  • Inspect Office documents for embedded ActiveX or Flash objects using sandbox detonation or static analysis.
  • Correlate endpoint telemetry with known malicious indicators from campaigns leveraging this vulnerability (see FireEye, Talos, and Trend Micro reporting).
  • Review network logs for anomalous outbound connections from Flash Player processes.

Assessment

This vulnerability carries an EPSS score of 0.89618 (99.77th percentile), indicating a very high probability of exploitation in the wild. It is confirmed as a Known Exploited Vulnerability (KEV) by CISA and listed in the EU Exploited Vulnerability Database (EUVD-2018-16663) since 2021-11-03.

Key lessons:

  1. Timely patching matters: The gap between in-the-wild exploitation (January 2018) and patch availability (early February 2018) provided a critical window for defenders. Organizations with mature patch management reduced exposure.
  2. Legacy software risk: The continued presence of Flash Player long after its EOL demonstrates how legacy components with complex codebases can become persistent liabilities. Proactive removal of deprecated software is a high-value defensive measure.

References

Frequently asked questions

What is CVE-2018-4878?
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
How severe is CVE-2018-4878?
CVE-2018-4878 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-4878 being actively exploited?
Yes. CVE-2018-4878 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-4878?
CVE-2018-4878 primarily affects Adobe Flash Player. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-4878?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-4878 have an EU (EUVD) identifier?
Yes. CVE-2018-4878 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-16663. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2018-4878 published?
CVE-2018-4878 was published on 2018-02-06 and last updated on 2026-06-17.

References

Affected products (7)

More vulnerabilities in Adobe Flash Player

All CVEs affecting Adobe Flash Player →

Other CWE-416 (Use After Free) vulnerabilities

Browse all CWE-416 (Use After Free) vulnerabilities →