CVE-2016-4271
Description
Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2016-4277 and CVE-2016-4278, aka a "local-with-filesystem Flash sandbox bypass" issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player local-with-filesystem sandbox bypass allows data exfiltration and credential theft via crafted URI schemes.
Vulnerability
Adobe Flash Player before version 18.0.0.375 and versions 19.0 through 23.0 before 23.0.0.162 on Windows and OS X, and before version 11.2.202.635 on Linux, contains a local-with-filesystem sandbox bypass. The vulnerability stems from a design flaw that allows a locally opened SWF file (using file:// or UNC paths without an IP address or qualifying domain) to combine two URI schemes to initiate outbound SMB connections, effectively bypassing the sandbox restrictions that should prevent Internet access [1], [2].
Exploitation
An attacker must first convince a user to open a crafted local SWF file (e.g., via a downloaded attachment or a file hosted on a share). The SWF file runs within the local-with-filesystem sandbox. By leveraging the unspecified combination of URI schemes, the attacker can make the Flash Player initiate an SMB connection to a remote attacker-controlled server. No other special network position or authentication is required beyond the user opening the file [2].
Impact
Successful exploitation allows an attacker to exfiltrate local data from the victim's machine and obtain Windows user credentials (e.g., NTLM hashes) through the SMB connection. This constitutes a bypass of the security sandbox, leading to sensitive information disclosure [2]. The vulnerability was a key factor in Adobe's decision to discontinue the local-with-filesystem sandbox from Flash Player 23.0.0.162 onward [2].
Mitigation
Adobe fixed this vulnerability in Flash Player 23.0.0.162 (and 11.2.202.635 on Linux) released on September 13, 2016, as documented in APSB16-29 [2]. Red Hat and Gentoo security advisories recommend upgrading to the patched versions [1], [3]. For systems that cannot upgrade, the only known workaround is to disable Flash Player or to avoid opening local SWF files from untrusted sources. No KEV listing is currently available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <18.0.0.375 (Windows/OS X) or <11.2.202.635 (Linux) or 19.x–23.x <23.0.0.162
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.635-140.1+ 1 more
- (no CPE)range: < 11.2.202.635-140.1
- (no CPE)range: < 11.2.202.635-140.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- helpx.adobe.com/security/products/flash-player/apsb16-29.htmlnvdPatchVendor Advisory
- blog.bjornweb.nl/2017/02/flash-bypassing-local-sandbox-data-exfiltration-credentials-leak/nvdExploitThird Party Advisory
- lab.truel.it/flash-sandbox-bypass/nvdBroken LinkTechnical DescriptionThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-1865.htmlnvdThird Party Advisory
- www.securitytracker.com/id/1036791nvdBroken LinkThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201610-10nvdThird Party Advisory
News mentions
0No linked articles in our index yet.