VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-4878

⇱ NVD - CVE-2018-4878

  1. Vulnerabilities

CVE-2018-4878 Detail

Description

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.


Metrics

 
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html Adobe Systems Incorporated, CVE Technical Description  Third Party Advisory 
http://www.securityfocus.com/bid/102893 Adobe Systems Incorporated, CVE Broken Link 
http://www.securitytracker.com/id/1040318 Adobe Systems Incorporated, CVE Broken Link 
https://access.redhat.com/errata/RHSA-2018:0285 Adobe Systems Incorporated, CVE Third Party Advisory 
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign Adobe Systems Incorporated, CVE Third Party Advisory 
https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day Adobe Systems Incorporated, CVE Third Party Advisory 
https://github.com/cisagov/vulnrichment/issues/196 CISA-ADP Issue Tracking 
https://github.com/vysec/CVE-2018-4878 Adobe Systems Incorporated, CVE Third Party Advisory 
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html Adobe Systems Incorporated, CVE Vendor Advisory 
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/ Adobe Systems Incorporated, CVE Exploit  Third Party Advisory 
https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/ Adobe Systems Incorporated, CVE Third Party Advisory 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878 CISA-ADP Third Party Advisory  US Government Resource 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 Adobe Systems Incorporated, CVE Press/Media Coverage  Third Party Advisory 
https://www.exploit-db.com/exploits/44412/ Adobe Systems Incorporated, CVE Exploit  Third Party Advisory  VDB Entry 
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html Adobe Systems Incorporated, CVE Third Party Advisory 
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets Adobe Systems Incorporated, CVE Technical Description  Third Party Advisory 

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action
Adobe Flash Player Use-After-Free Vulnerability 11/03/2021 05/03/2022 The impacted product is end-of-life and should be disconnected if still in use.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-416 Use After Free πŸ‘ cwe source acceptance level
NIST   CISA-ADP  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

22 change records found show changes

CVE Modified by CISA-ADP 6/16/2026 9:59:12 PM

Action Type Old Value New Value
Added SSVC 
{"timestamp":"2025-11-17T19:26:05.552854Z","id":"CVE-2018-4878","options":[{"exploitation":"active"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by Adobe Systems Incorporated 6/16/2026 9:59:12 PM

Action Type Old Value New Value
Added Affected 
[{"vendor":"n/a","product":"Adobe Flash Player before 28.0.0.161","versions":[{"version":"Adobe Flash Player before 28.0.0.161","status":"affected"}]}]

Modified Analysis by NIST 11/18/2025 12:03:20 PM

Action Type Old Value New Value
Added CVSS V3.1 
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Removed CVSS V3.1 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added Reference Type 
CISA-ADP: https://github.com/cisagov/vulnrichment/issues/196 Types: Issue Tracking

CVE Modified by CISA-ADP 11/17/2025 3:15:48 PM

Action Type Old Value New Value
Added CVSS V3.1 
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Removed CVSS V3.1 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added Reference 
https://github.com/cisagov/vulnrichment/issues/196

Modified Analysis by NIST 10/23/2025 10:51:19 AM

Action Type Old Value New Value
Added Reference Type 
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878 Types: Third Party Advisory, US Government Resource

CVE Modified by CISA-ADP 10/21/2025 8:16:23 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878

CVE Modified by CISA-ADP 10/21/2025 4:17:14 PM

Action Type Old Value New Value
Removed Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878

CVE Modified by CISA-ADP 10/21/2025 3:17:31 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4878

Modified Analysis by NIST 2/13/2025 12:38:59 PM

Action Type Old Value New Value

CVE Modified by CISA-ADP 2/04/2025 5:15:37 PM

Action Type Old Value New Value
Added CVSS V3.1 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE 
CWE-416

Modified Analysis by NIST 1/23/2025 10:36:18 AM

Action Type Old Value New Value

CVE Modified by CVE 11/20/2024 11:07:37 PM

Action Type Old Value New Value
Added Reference 
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
Added Reference 
http://www.securityfocus.com/bid/102893
Added Reference 
http://www.securitytracker.com/id/1040318
Added Reference 
https://access.redhat.com/errata/RHSA-2018:0285
Added Reference 
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign
Added Reference 
https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day
Added Reference 
https://github.com/vysec/CVE-2018-4878
Added Reference 
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html
Added Reference 
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/
Added Reference 
https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/
Added Reference 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139
Added Reference 
https://www.exploit-db.com/exploits/44412/
Added Reference 
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html
Added Reference 
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets

CVE Modified by Adobe Systems Incorporated 5/14/2024 1:20:56 AM

Action Type Old Value New Value

Modified Analysis by NIST 4/18/2022 10:26:17 AM

Action Type Old Value New Value
Added CVSS V3.1 
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Removed CVSS V3 
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed Reference Type 
http://www.securityfocus.com/bid/102893 Third Party Advisory, VDB Entry


 
http://www.securityfocus.com/bid/102893 Broken Link
Changed Reference Type 
http://www.securitytracker.com/id/1040318 Third Party Advisory, VDB Entry


 
http://www.securitytracker.com/id/1040318 Broken Link
Changed Reference Type 
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/ No Types Assigned


 
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/ Exploit, Third Party Advisory
Changed Reference Type 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 Third Party Advisory


 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 Press/Media Coverage, Third Party Advisory
Changed Reference Type 
https://www.exploit-db.com/exploits/44412/ No Types Assigned


 
https://www.exploit-db.com/exploits/44412/ Exploit, Third Party Advisory, VDB Entry

CPE Deprecation Remap by NIST 9/08/2021 1:19:05 PM

Action Type Old Value New Value
Changed CPE Configuration 
OR
 *cpe:2.3:o:apple:mac_os:-:*:*:*:*:*:*:*


 
OR
 *cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

CVE Modified by Adobe Systems Incorporated 5/03/2018 9:29:13 PM

Action Type Old Value New Value
Added Reference 
https://www.exploit-db.com/exploits/44412/ [No Types Assigned]

CVE Modified by Adobe Systems Incorporated 3/08/2018 9:29:04 PM

Action Type Old Value New Value
Added Reference 
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/ [No Types Assigned]

Initial Analysis by NIST 3/01/2018 9:32:23 AM

Action Type Old Value New Value
Added CVSS V3 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CVSS V2 
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Added CWE 
CWE-416
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:* versions up to (excluding) 28.0.0.161
 OR
 cpe:2.3:o:apple:mac_os:-:*:*:*:*:*:*:*
 cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:adobe:flash_player:*:*:*:*:*:chrome:*:* versions up to (excluding) 28.0.0.161
 OR
 cpe:2.3:o:apple:mac_os:-:*:*:*:*:*:*:*
 cpe:2.3:o:google:chrome_os:-:*:*:*:*:*:*:*
 cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:* versions up to (excluding) 28.0.0.161
 *cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:* versions up to (excluding) 28.0.0.161
 OR
 cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*
 cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*
Added CPE Configuration 
OR
 *cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
 *cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
 *cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Changed Reference Type 
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html No Types Assigned


 
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html Technical Description, Third Party Advisory
Changed Reference Type 
http://www.securityfocus.com/bid/102893 No Types Assigned


 
http://www.securityfocus.com/bid/102893 Third Party Advisory, VDB Entry
Changed Reference Type 
http://www.securitytracker.com/id/1040318 No Types Assigned


 
http://www.securitytracker.com/id/1040318 Third Party Advisory, VDB Entry
Changed Reference Type 
https://access.redhat.com/errata/RHSA-2018:0285 No Types Assigned


 
https://access.redhat.com/errata/RHSA-2018:0285 Third Party Advisory
Changed Reference Type 
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign No Types Assigned


 
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign Third Party Advisory
Changed Reference Type 
https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day No Types Assigned


 
https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day Third Party Advisory
Changed Reference Type 
https://github.com/vysec/CVE-2018-4878 No Types Assigned


 
https://github.com/vysec/CVE-2018-4878 Third Party Advisory
Changed Reference Type 
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html No Types Assigned


 
https://helpx.adobe.com/security/products/flash-player/apsb18-03.html Vendor Advisory
Changed Reference Type 
https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/ No Types Assigned


 
https://threatpost.com/adobe-flash-player-zero-day-spotted-in-the-wild/129742/ Third Party Advisory
Changed Reference Type 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 No Types Assigned


 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 Third Party Advisory
Changed Reference Type 
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html No Types Assigned


 
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html Third Party Advisory
Changed Reference Type 
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets No Types Assigned


 
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/north-korean-hackers-allegedly-exploit-adobe-flash-player-vulnerability-cve-2018-4878-against-south-korean-targets Technical Description, Third Party Advisory

CVE Modified by Adobe Systems Incorporated 2/27/2018 9:29:03 PM

Action Type Old Value New Value
Changed Description 
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to the handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.


 
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
Added Reference 
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign [No Types Assigned]
Added Reference 
https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139 [No Types Assigned]

CVE Modified by Adobe Systems Incorporated 2/12/2018 9:29:01 PM

Action Type Old Value New Value
Added Reference 
https://github.com/InQuest/malware-samples/tree/master/CVE-2018-4878-Adobe-Flash-DRM-UAF-0day [No Types Assigned]
Added Reference 
https://github.com/vysec/CVE-2018-4878 [No Types Assigned]

CVE Modified by Adobe Systems Incorporated 2/08/2018 9:29:03 PM

Action Type Old Value New Value
Added Reference 
https://access.redhat.com/errata/RHSA-2018:0285 [No Types Assigned]

CVE Modified by Adobe Systems Incorporated 2/07/2018 9:29:04 PM

Action Type Old Value New Value
Added Reference 
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html [No Types Assigned]
Added Reference 
http://www.securityfocus.com/bid/102893 [No Types Assigned]
Added Reference 
http://www.securitytracker.com/id/1040318 [No Types Assigned]

Quick Info

CVE Dictionary Entry:
CVE-2018-4878
NVD Published Date:
02/06/2018
NVD Last Modified:
06/16/2026
Source:
Adobe Systems Incorporated