CVE-2010-3636
Description
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris, and 10.1.95.1 on Android, does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player parsing of cross-domain policy files has an encoding flaw, allowing remote attackers to bypass same-origin restrictions.
Vulnerability
Adobe Flash Player versions before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris, and 10.1.95.1 on Android, does not properly handle unspecified encodings during the parsing of a cross-domain policy file. This allows remote web servers to bypass intended access restrictions via unknown vectors [1].
Exploitation
An attacker can craft a malicious cross-domain policy file with a specific encoding that is mishandled by the vulnerable Flash Player. When a user loads content from the attacker's domain, the policy file is parsed incorrectly, potentially granting the Flash application cross-domain access that should be blocked. The attacker requires no authentication and only needs to serve the policy file from a web server.
Impact
Successful exploitation allows an attacker to bypass the same-origin policy, enabling unauthorized cross-domain data access. This could lead to information disclosure, data manipulation, or other attacks that depend on cross-domain interaction.
Mitigation
Adobe released updates to Flash Player 9.0.289.0 and 10.1.102.64 for desktop platforms, and 10.1.95.1 for Android, to address this issue. Users should upgrade to these versions or later. For systems where updating is not possible, consider disabling Flash Player or using browser security settings to restrict Flash execution. Affected vendors have issued advisories [1][2][3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.0.289.0 for 9.x, <10.1.102.64 for 10.x, <=10.1.95.1 for Android
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
23- www.adobe.com/support/security/bulletins/apsb10-26.htmlnvdPatchVendor Advisory
- jvn.jp/en/jp/JVN48425028/index.htmlnvdThird Party AdvisoryVDB Entry
- jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000054.htmlnvdThird Party AdvisoryVDB Entry
- lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2010-11/msg00002.htmlnvdThird Party Advisory
- marc.infonvdMailing ListThird Party Advisory
- secunia.com/advisories/42183nvdThird Party Advisory
- secunia.com/advisories/42926nvdThird Party Advisory
- secunia.com/advisories/43026nvdThird Party Advisory
- security.gentoo.org/glsa/glsa-201101-09.xmlnvdThird Party Advisory
- support.apple.com/kb/HT4435nvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2010-0829.htmlnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2010-0834.htmlnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2010-0867.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/44691nvdThird Party AdvisoryVDB Entry
- www.vupen.com/english/advisories/2010/2903nvdThird Party Advisory
- www.vupen.com/english/advisories/2010/2906nvdThird Party Advisory
- www.vupen.com/english/advisories/2010/2918nvdThird Party Advisory
- www.vupen.com/english/advisories/2011/0173nvdThird Party Advisory
- www.vupen.com/english/advisories/2011/0192nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12142nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15913nvdThird Party Advisory
- blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash1nvdBroken Link
News mentions
0No linked articles in our index yet.