CVE-2018-4878
CVE-2018-4878 is a high-severity vulnerability in Adobe Flash Player with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2018-16663
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-416
- Affected product: Adobe Flash Player
- Published:
- Last modified:
Description
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
CVE-2018-4878: Adobe Flash Player Use-After-Free Arbitrary Code Execution Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-4878 |
| CWE | CWE-416 (Use-After-Free) |
| CVSS v2 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| CVSS v3 | 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| EPSS | 0.89618 (99.77th percentile) |
| KEV | Listed in CISA KEV (added 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Affected | Adobe Flash Player before 28.0.0.161 |
| Patched | Adobe Flash Player 28.0.0.161 |
Summary
A use-after-free vulnerability in Adobe Flash Player before version 28.0.0.161 allows attackers to execute arbitrary code. The flaw resides in the Primetime SDK, where a dangling pointer related to media player listener object handling can be leveraged for memory corruption. This vulnerability was actively exploited in the wild during January and February 2018.
Background
Adobe Flash Player was a widely deployed browser plugin and runtime for multimedia and rich Internet applications. Despite gradual deprecation, it remained a high-value target for attackers due to its ubiquity and complex codebase. In early 2018, security researchers identified in-the-wild exploitation of a zero-day vulnerability in Flash Player, later assigned CVE-2018-4878. The vulnerability was leveraged by threat actors in targeted attacks and mass malspam campaigns.
Root Cause
CWE-416: Use-After-Free
The vulnerability stems from a dangling pointer in the Adobe Flash Player Primetime SDK. Specifically, when the media player handles listener objects, a pointer to an object may remain accessible after the object has been freed. An attacker who can trigger this condition can corrupt memory and gain control of execution flow. The use-after-free occurs because the application fails to properly invalidate or clear references to freed memory during listener object lifecycle transitions.
Impact
The CVSS v2 base score of 7.5 reflects a network-accessible, low-complexity attack requiring no authentication, yielding partial impacts across confidentiality, integrity, and availability. The CVSS v3 score of 7.8 (HIGH) accounts for local attack vector (via user execution), but emphasizes the severe consequences: high confidentiality, integrity, and availability impacts. Successful exploitation leads to arbitrary code execution in the context of the Flash Player process, which typically runs with the privileges of the logged-in user.
Exploitation Walkthrough
Ethics Note: This section describes the attack from a defensive and forensic perspective. No weaponized exploit code or step-by-step reproduction instructions are provided.
Threat actors typically delivered exploitation via malicious Microsoft Office documents with embedded Adobe Flash content. When a victim opened the document, the embedded Flash object loaded and triggered the use-after-free condition in the Primetime SDK listener handling. Memory corruption was then leveraged to achieve arbitrary code execution within the Flash process. In observed campaigns, this initial access was used to download and execute secondary payloads.
Defensive analysts should look for:
- Office documents containing unexpected or obfuscated embedded Flash objects.
- Process memory anomalies in Flash Player or browser plugin containers.
- Network connections initiated by Office applications or Flash processes to suspicious domains.
Affected and Patched Versions
Affected:
- Adobe Flash Player versions prior to 28.0.0.161
- Adobe Flash Player for Edge, Internet Explorer 11, and Chrome (bundled versions) prior to 28.0.0.161
- Red Hat Enterprise Linux 6 Desktop, Server, and Workstation (Flash Player plugin packages)
Patched:
- Adobe Flash Player 28.0.0.161 and later
Remediation
- Upgrade: Update Adobe Flash Player to version 28.0.0.161 or later. Adobe released APSB18-03 to address this vulnerability.
- Disable or Remove Flash: Since Adobe Flash Player reached end-of-life in December 2020, the strongest compensating control is complete removal or disablement of the Flash Player plugin and ActiveX control.
- Browser Hardening: Block Flash content in browsers and email clients; disable automatic execution of embedded objects in Microsoft Office.
- Application Whitelisting: Restrict execution of untrusted Office documents and browser plugins to reduce attack surface.
Detection
- Monitor for Flash Player processes spawned by Microsoft Office applications (e.g.,
winword.exelaunching Flash-related processes). - Inspect Office documents for embedded ActiveX or Flash objects using sandbox detonation or static analysis.
- Correlate endpoint telemetry with known malicious indicators from campaigns leveraging this vulnerability (see FireEye, Talos, and Trend Micro reporting).
- Review network logs for anomalous outbound connections from Flash Player processes.
Assessment
This vulnerability carries an EPSS score of 0.89618 (99.77th percentile), indicating a very high probability of exploitation in the wild. It is confirmed as a Known Exploited Vulnerability (KEV) by CISA and listed in the EU Exploited Vulnerability Database (EUVD-2018-16663) since 2021-11-03.
Key lessons:
- Timely patching matters: The gap between in-the-wild exploitation (January 2018) and patch availability (early February 2018) provided a critical window for defenders. Organizations with mature patch management reduced exposure.
- Legacy software risk: The continued presence of Flash Player long after its EOL demonstrates how legacy components with complex codebases can become persistent liabilities. Proactive removal of deprecated software is a high-value defensive measure.
References
- https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
- https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html
- https://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
- https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets
- https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/
- https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/
- https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign
- https://access.redhat.com/errata/RHSA-2018:0285
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878
- https://github.com/cisagov/vulnrichment/issues/196
Frequently asked questions
- What is CVE-2018-4878?
- A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
- How severe is CVE-2018-4878?
- CVE-2018-4878 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-4878 being actively exploited?
- Yes. CVE-2018-4878 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-4878?
- CVE-2018-4878 primarily affects Adobe Flash Player. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-4878?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-4878 have an EU (EUVD) identifier?
- Yes. CVE-2018-4878 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-16663. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2018-4878 published?
- CVE-2018-4878 was published on 2018-02-06 and last updated on 2026-06-17.
References
- http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
- http://www.securityfocus.com/bid/102893
- http://www.securitytracker.com/id/1040318
- https://access.redhat.com/errata/RHSA-2018:0285
- https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign
- https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day
- https://github.com/vysec/CVE-2018-4878
- https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
- https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/
- https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/
- https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139
- https://www.exploit-db.com/exploits/44412/
- https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html
- https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets
- https://github.com/cisagov/vulnrichment/issues/196
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878
Affected products (7)
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:*
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*
More vulnerabilities in Adobe Flash Player
- CVE-2015-8459 — Critical (CVSS 10.0): Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on…
- CVE-2015-8457 — Critical (CVSS 10.0): Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and…
- CVE-2015-8455 — Critical (CVSS 10.0): Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on…
- CVE-2015-8454 — Critical (CVSS 10.0): Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and…
- CVE-2015-8452 — Critical (CVSS 10.0): Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and…
- CVE-2015-8451 — Critical (CVSS 10.0): Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on…
All CVEs affecting Adobe Flash Player →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…