Critical severity9.8NVD Advisory· Published Dec 9, 2017· Updated May 13, 2026

CVE-2017-3112

Description

An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of AdobePSDK metadata. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player 27.0.0.183 and earlier has an out-of-bounds read in AdobePSDK metadata, leading to sensitive data exposure.

Vulnerability

Adobe Flash Player versions 27.0.0.183 and earlier contain an out-of-bounds read vulnerability in the AdobePSDK metadata component. The flaw occurs when a computation reads data past the end of the target buffer, using an invalid pointer offset during access of internal data structure fields. This affects the Flash Player plugin on multiple platforms, including Red Hat Enterprise Linux and Gentoo [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file that triggers the out-of-bounds read. The victim must load a webpage containing the malicious SWF content; no authentication or special privileges are required. The attack can be delivered via web pages or email links [1].

Impact

Successful exploitation results in sensitive data exposure (information disclosure). The attacker can read memory contents beyond the intended buffer, potentially leaking confidential data. The CVSS v3 base score is 9.8 (Critical) [1][2].

Mitigation

Adobe released Flash Player version 27.0.0.187 to fix this vulnerability. Red Hat provided updated packages via RHSA-2017:3222, and Gentoo issued GLSA 201711-13. Users should upgrade to the latest version. No workaround is available [1][2].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Flashplayer5 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:*range: <=27.0.0.183
- (no CPE)range: <=27.0.0.183
Red Hat/Enterprise Linux Desktop
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Workstation
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb17-33.htmlnvdPatchVendor Advisory
www.securityfocus.com/bid/101837nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039778nvdThird Party AdvisoryVDB Entry
access.redhat.com/errata/RHSA-2017:3222nvdThird Party AdvisoryVDB Entry
security.gentoo.org/glsa/201711-13nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000