CVE-2017-3114
Description
An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability occurs as a result of a computation that reads data that is past the end of the target buffer; the computation is part of providing language- and region- or country- specific functionality. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player 27.0.0.183 and earlier contains an out-of-bounds read vulnerability that can lead to sensitive data exposure via a crafted SWF file.
Vulnerability
An out-of-bounds read vulnerability exists in Adobe Flash Player up to and including version 27.0.0.183 [1][2]. The flaw occurs when the player computes an invalid pointer offset during the processing of language-, region-, or country-specific functionality, leading to a read past the end of an internal buffer [1].
Exploitation
An attacker can exploit this issue by crafting a malicious SWF file and convincing a victim to load it, typically through a web page or email attachment. No authentication or special network position is required; the victim simply needs to launch the SWF in an affected Flash Player [1][2]. The vulnerability can be triggered without user interaction beyond opening the malicious content [1].
Impact
Successful exploitation allows an attacker to read sensitive data from the victim's system, potentially exposing memory contents that could include credentials, session tokens, or other confidential information [1]. The vulnerability is rated as Critical (CVSS 9.8) and has been linked to arbitrary code execution in related advisories [1][2].
Mitigation
Adobe released Flash Player version 27.0.0.187 to address this vulnerability [1][2]. Red Hat provided updated flash-plugin packages for Red Hat Enterprise Linux 6 [1], and Gentoo recommended upgrading to >=www-plugins/adobe-flash-27.0.0.187 [2]. No workaround is available if the player remains unpatched [2]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*range: <=27.0.0.183
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:intenet_explorer_11:*:*range: <=27.0.0.183
- (no CPE)range: <=27.0.0.183
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- helpx.adobe.com/security/products/flash-player/apsb17-33.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/101837nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039778nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:3222nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201711-13nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.