Flash Player < 11.2.202.626 / 18.0.0.360 / 22.0.0.192 Multiple Vulnerabilities

Versions of Adobe Flash Player prior to 11.2.202.626, 18.0.0.360, or 22.0.0.192 are outdated and thus unpatched for the following vulnerabilities :

• Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-4144, CVE-2016-4149)
• Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148)
• Multiple unspecified memory corruption flaws exists that are triggered when user-supplied input is not properly validated. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4126, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4133, CVE-2016-4134, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166)
• Unspecified Heap Buffer Overflow conditions exists when an overflow condition is triggered as user-supplied input and is not properly validated when handling ATF files. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-4135)
• A double-free flaw exists, which may be triggered as user-supplied input is not properly validated when handling JXR files. This may allow a context-dependent attacker to free already freed memory and potentially execute arbitrary code. (CVE-2016-4136)
• A heap buffer overflow flaw exists when an overflow condition that is triggered as user-supplied input is not properly validated when handling ATF image packing. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code. (CVE-2016-4138)
• A flaw is triggered as user-supplied input is not properly validated when handling LMZA property decoding. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4137)
• An unspecified memory corruption flaw exists, which is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4141)
• A flaw is triggered when loading certain dynamic-link libraries. By placing a specially crafted library in the path and tricking a user into opening a file, a context-dependent attacker can inject and execute arbitrary code with the privilege of the user running the program. (CVE-2016-4140)
• An unspecified flaw exists, which may allow a context-dependent attacker to bypass the same-origin policy and gain access to potentially sensitive information. (CVE-2016-4166)