Search
On this page ▾
CVE-2016-1019 — Adobe Flash Player Arbitrary Code Execution Vulnerability

CVE-2016-1019

Adobe Flash Player — Zero-Day Heap Overflow Exploited by Magnitude/Nuclear Kits for Cerber Ransomware; Emergency APSB16-10 (April 2016); Ransomware Use Confirmed
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020. CVE-2016-1019 is one of the last significant Flash zero-days before browsers began blocking Flash by default.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-1019 is a critical Flash Player zero-day — a heap-based memory corruption vulnerability actively exploited by the Magnitude and Nuclear exploit kits to deliver Cerber ransomware. Security researcher Kafeine (Proofpoint) discovered the active exploitation on approximately April 2, 2016, and Adobe released an emergency out-of-band patch APSB16-10 on April 7, 2016 — within five days of discovery. The CVSS UI:N (no user interaction) rating means Flash executes the malicious SWF automatically when a user visits the malicious page, requiring no additional click or interaction. This was one of the last notable Flash zero-days before major browsers implemented click-to-play restrictions that substantially reduced Flash exploitation viability.

Affected Versions

Flash Player Platform Status
≤ 21.0.0.197 Windows / Mac Vulnerable
≤ 13.0.0.270 Windows / Mac (extended support) Vulnerable
≤ 11.2.202.577 Linux Vulnerable
21.0.0.213 Windows / Mac Fixed (APSB16-10)
13.0.0.281 Windows / Mac (extended support) Fixed (APSB16-10)
All versions All EOL — no further patches

Technical Details

Root Cause: Heap-Based Memory Corruption in Flash SWF Processing

CVE-2016-1019 is a memory corruption vulnerability (CWE-787, out-of-bounds write) in Adobe Flash Player's handling of SWF file content. Flash's ActionScript runtime or media processing code processes a crafted SWF element — a malformed ActionScript object, vector, or media stream — and performs a write operation that overflows the bounds of a heap-allocated buffer. This corrupts adjacent heap objects in a way that enables control flow hijacking.

The zero-day exploitation chain:

  1. Malvertising delivery — Magnitude and Nuclear exploit kits serve malicious SWF via advertising networks or compromised websites
  2. Auto-execution — Flash auto-executes the SWF without user interaction (UI:N)
  3. Heap corruption — the crafted SWF triggers the out-of-bounds write
  4. Control flow redirect — adjacent heap objects (vtables, function pointers) are overwritten
  5. Shellcode execution — Flash executes attacker-controlled code at user privilege level
  6. Cerber ransomware — the delivered payload encrypts user files and displays ransom demand

Ransomware Delivery Context

CVE-2016-1019 was exclusively observed delivering ransomware payloads — primarily Cerber, which was one of the dominant ransomware families of 2016. The zero-day status combined with the CVSS 9.8 / UI:N rating made it highly valuable for mass ransomware campaigns: every Flash-enabled browser visit to a Magnitude or Nuclear-compromised page was a potential victim.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (Flash auto-executes)
Zero-Day Window ~5 days (April 2–7, 2016)
Exploit Kits Magnitude, Nuclear Pack
Ransomware Cerber (primary payload)

Discovery

Security researcher Kafeine (working at Proofpoint) discovered CVE-2016-1019 exploitation in Magnitude and Nuclear exploit kit traffic approximately April 2, 2016, and published analysis on April 5, 2016. Adobe responded with APSB16-10 on April 7, 2016.

Exploitation Context

  • Last notable Flash zero-day for mass exploitation: CVE-2016-1019 was one of the final Flash zero-days to achieve mass exploitation via exploit kits before browser click-to-play requirements and Flash blocking significantly reduced the viability of Flash-based drive-by attacks; Chrome's click-to-activate requirement had already reduced Flash exploitation success rates, and Firefox began blocking Flash by default later in 2016
  • Cerber ransomware dominance: Cerber was the dominant ransomware-as-a-service (RaaS) platform in 2016; CVE-2016-1019 served as a highly effective delivery mechanism during its zero-day window, potentially generating significant Cerber ransomware revenue during the five-day exploitation window
  • Exploit kit decline: CVE-2016-1019 was one of the last exploits served by Nuclear Pack, which disappeared from the threat landscape in mid-2016; Magnitude also declined after this period
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; all known vulnerabilities remain permanently unpatched
  • CISA KEV (2022): Added March 2022

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life.

  2. Migrate Flash-dependent applications — identify remaining Flash content and migrate to HTML5 or another supported technology.

  3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

  4. Browser controls — all modern browsers have removed Flash support. IE11 with Flash should be upgraded to Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2016-1019
Vendor / Product Adobe — Flash Player
NVD Published2016-04-07
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-787 — Out-of-Bounds Write find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2016-04-02Kafeine (Proofpoint) discovers CVE-2016-1019 zero-day being served by Magnitude exploit kit and Nuclear Pack for Cerber ransomware delivery
2016-04-05Proofpoint publishes analysis of active CVE-2016-1019 exploitation in Magnitude and Nuclear exploit kits
2016-04-07Adobe releases emergency out-of-band APSB16-10 patching CVE-2016-1019 in Flash Player 21.0.0.213
2016-04-07CVE-2016-1019 published by NVD
2020-12-31Adobe Flash Player reaches end-of-life
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-1019 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB16-10 — Security Update for Adobe Flash Player Vendor Advisory
Proofpoint — Flash Zero-Day Exploit in Magnitude Exploit Kit Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML