CVE-2016-4232
Description
Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux allows attackers to obtain sensitive information from process memory via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player before 22.0.0.209 allows memory info leak via overwritten ColorTransform constructor.
Vulnerability
An information disclosure vulnerability exists in Adobe Flash Player in the Transform.colorTransform getter. By overwriting the ColorTransform constructor with a getter using addProperty, a specially crafted SWF file can trigger a use-after-free condition that reads uninitialized or freed memory. Affected versions include Adobe Flash Player before 18.0.0.366 and 19.x through 22.x before 22.0.0.209 on Windows and OS X, and before 11.2.202.632 on Linux [1][2][3].
Exploitation
An attacker can exploit this vulnerability by luring a victim to load a malicious SWF file that manipulates the ColorTransform constructor via ActionScript. The PoC demonstrates creating an empty MovieClip, applying a ColorTransform, then adding a property getter for ColorTransform that removes the MovieClip. When reading the colorTransform property, the freed object's memory is accessed and printed to the screen [3]. No authentication or special network position is required beyond delivering the SWF to the victim.
Impact
Successful exploitation results in an information disclosure, leaking arbitrary process memory to the attacker. The leaked data may contain sensitive information such as credentials, cookies, or other secrets present in the Flash Player process memory. The vulnerability does not directly allow code execution but can be a stepping stone for further attacks [3].
Mitigation
Adobe released Flash Player version 22.0.0.209 (Windows/OS X) and 11.2.202.632 (Linux) to address this vulnerability [1][2]. Microsoft included the fix in Security Bulletin MS16-093 for Internet Explorer and Edge on supported Windows platforms [1]. Red Hat and Gentoo also released updated packages [2][4]. Users should update Flash Player to the latest version or disable Flash if it is not required.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: before 18.0.0.366, 19.x-22.x before 22.0.0.209, before 11.2.202.632
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.632-137.1+ 1 more
- (no CPE)range: < 11.2.202.632-137.1
- (no CPE)range: < 11.2.202.632-137.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-093nvdPatchThird Party Advisory
- helpx.adobe.com/security/products/flash-player/apsb16-25.htmlnvdPatchVendor Advisory
- www.exploit-db.com/exploits/40355/nvdExploitThird Party AdvisoryVDB Entry
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00016.htmlnvdBroken LinkThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-07/msg00017.htmlnvdBroken LinkThird Party Advisory
- www.securityfocus.com/bid/91724nvdBroken LinkThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1036280nvdBroken LinkThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2016:1423nvdThird Party Advisory
- security.gentoo.org/glsa/201607-03nvdThird Party Advisory
News mentions
0No linked articles in our index yet.