CVE-2017-2938
Description
Adobe Flash Player versions 24.0.0.186 and earlier have a security bypass vulnerability related to handling TCP connections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player before 24.0.0.194 has a security bypass in TCP connection handling, potentially allowing information disclosure.
Vulnerability
Adobe Flash Player versions 24.0.0.186 and earlier contain a security bypass vulnerability related to handling TCP connections [1]. The flaw exists in the way the player processes network connections, allowing an attacker to bypass security restrictions. The affected versions are those prior to 24.0.0.194, which was released as a fix [1].
Exploitation
An attacker must craft a malicious SWF file and deliver it to a victim, typically via a web page or email. No authentication is required; the victim only needs to load the SWF content. The exploitation involves the SWF file triggering the vulnerability during TCP connection handling, leading to a security bypass [1][2].
Impact
Successful exploitation allows an attacker to bypass security restrictions, potentially resulting in the disclosure of sensitive information. The CVSS v3 base score is 6.5 (Medium), indicating a moderate impact on confidentiality [1]. The Red Hat advisory notes that this vulnerability is part of a set that could also lead to arbitrary code execution or denial of service, but for this specific CVE, the primary impact is security bypass [1].
Mitigation
The vulnerability is fixed in Adobe Flash Player version 24.0.0.194, released on 2017-01-11 [1]. Users should update to the latest version. For Red Hat Enterprise Linux 6, the update is available via RHSA-2017-0057 [1]. Gentoo users should upgrade to >=www-plugins/adobe-flash-24.0.0.221 [2]. No workaround is available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=24.0.0.186
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*range: <=24.0.0.186
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*range: <=24.0.0.186
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer:*:*range: <=24.0.0.186
- (no CPE)range: <=24.0.0.186
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 24.0.0.194-155.1+ 1 more
- (no CPE)range: < 24.0.0.194-155.1
- (no CPE)range: < 24.0.0.194-155.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- helpx.adobe.com/security/products/flash-player/apsb17-02.htmlnvdPatchVendor Advisory
- rhn.redhat.com/errata/RHSA-2017-0057.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/95341nvdBroken LinkThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1037570nvdBroken LinkThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201702-20nvdThird Party Advisory
News mentions
0No linked articles in our index yet.