CVE-2017-11292

ENISA EUVD: EUVD-2017-2926 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 2 articles Published: 2017-10-21

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

34.96%

probability

This CVE has a 34.96% probability of being exploited in the next 30 days.

0% Top 97.1th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.8

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

6.0

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecode verification procedure, which allows for an untrusted value to be used in the calculation of an array index. This can lead to type confusion, and successful exploitation could lead to arbitrary code execution.

Affected Products

n/a

Adobe Flash Player version 27.0.0.159 and earlier

adobe

flash player desktop runtime

adobe

flash player

redhat

enterprise linux desktop

redhat

enterprise linux server

redhat

enterprise linux workstation

n/a

Adobe Flash Player version 27.0.0.159 and earlier

Attack Intelligence

CWE-664 · Improper Control of a Resource Through its Lifetime CWE-704 · Incorrect Type Conversion CWE-843 · Type Confusion

Google Project Zero

Discovered

Oct. 10, 2017

Patched

Oct. 16, 2017

Reported by

Anton Ivanov of Kaspersky Labs

Root Cause Analysis

???

http://www.securitytracker.com/id/1039582

vdb-entry x_refsource_SECTRACK

https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

x_refsource_CONFIRM

https://security.gentoo.org/glsa/201710-22

vendor-advisory x_refsource_GENTOO

http://www.securityfocus.com/bid/101286

vdb-entry x_refsource_BID

https://access.redhat.com/errata/RHSA-2017:2899

vendor-advisory x_refsource_REDHAT

Signal Intelligence

Confidenceⓘ

85%

EPSS 34.96%

CVSS v3.1 8.8

Mentions 2

Last Seen Oct 17, 2017

CNA Information

CNA Assigner

adobe

Analyst Note

CVE-2017-11292 is confirmed as a critical zero-day affecting Adobe Flash Player with a high CVSS score of 8.8, demonstrated type confusion vulnerability leading to arbitrary code execution, and documented active exploitation reported by CERT-EU. The vulnerability's inclusion in Google Project Zero and CERT-EU security advisory provides strong corroboration of the threat despite limited public articles.

Triage Info

Decided atMar 03, 2026

Published DateOct 21, 2017