CVE-2016-0984

What Is Adobe Flash Player and AIR?

Adobe Flash Player was the dominant cross-platform browser multimedia plugin, installed on over 90% of internet-connected computers at peak deployment. Adobe AIR (Adobe Integrated Runtime) is the desktop application runtime built on Flash technology, allowing Flash-based applications to run outside the browser. Both products reached end-of-life on December 31, 2020 with no further security updates. Their combination of universal deployment and complex SWF parsing made them the highest-value browser plugin attack surface throughout the 2010s.

Overview

CVE-2016-0984 is a use-after-free remote code execution vulnerability in Adobe Flash Player and AIR that enables code execution via a specially crafted SWF file. The vulnerability was exploited by exploit kits in early 2016 for drive-by attacks against users visiting malicious or compromised web pages. Adobe released APSB16-04 on February 9, 2016, patching this and 17 other Flash vulnerabilities. Flash and AIR are permanently end-of-life since December 2020.

Affected Versions

Technical Details

Root Cause: Use-After-Free in Flash Player

CVE-2016-0984 is a use-after-free (CWE-416) vulnerability in Adobe Flash Player's ActionScript runtime or media processing subsystem. A use-after-free occurs when:

1. Object allocation — Flash allocates a heap object during SWF processing (ActionScript execution, media decoding, etc.)
2. Premature free — the object is freed (garbage collected or explicitly deleted) while a reference to it remains in scope
3. Memory reuse — Flash's allocator assigns the freed memory region to a new, attacker-controlled object
4. Stale reference access — when Flash subsequently uses the stale reference to the freed object, it interacts with the newly allocated attacker-controlled memory
5. Type confusion — treating attacker-controlled data as a trusted Flash object provides arbitrary heap read/write
6. Code execution — the heap primitives are used to locate and overwrite function pointers, redirecting code execution

Exploit kit operators adapted public Flash UAF techniques from prior CVEs (such as the Hacking Team zero-days from 2015) to new UAF vulnerabilities as they were disclosed, maintaining continuous Flash exploitation capability.

Attack Characteristics

Discovery

Identified and reported to Adobe; patched in APSB16-04 (February 2016), which addressed 18 Flash Player vulnerabilities simultaneously.

Exploitation Context

• Exploit kit activity in early 2016: Angler and Nuclear exploit kits maintained active Flash exploitation portfolios in early 2016; CVE-2016-0984 was integrated alongside other APSB16-04 fixes as one of multiple available Flash vectors for drive-by attacks
• Flash decline trajectory: By early 2016, browser vendors were increasingly restricting Flash — Chrome required click-to-activate for Flash content, Firefox required user activation, and IE with Windows 10 had click-to-activate enabled; this was reducing exploit kit success rates but not eliminating them
• Flash/AIR EOL: Flash Player and AIR are permanently end-of-life since December 2020; no further patches will be issued for CVE-2016-0984 or any other known Flash vulnerability
• CISA KEV (2022): Added May 2022

Remediation

1. Remove Flash Player and AIR — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash and AIR are permanently end-of-life.

2. Migrate Flash-dependent applications — identify remaining Flash/AIR applications and migrate to HTML5, Electron, or other supported alternatives.

3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

4. Browser controls — all modern browsers have removed Flash support.