Release date: April 5, 2016
Last updated: April 6, 2016
Vulnerability identifier: APSA16-01
CVE number: CVE-2016-1019
Platforms: Windows, Macintosh, Linux and Chrome OS
A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 22.214.171.1246 and earlier. A mitigation introduced in Flash Player 126.96.36.199 currently prevents exploitation of this vulnerability, protecting users running Flash Player 188.8.131.52 and later.
Adobe is planning to provide a security update to address this vulnerability as early as April 7. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Adobe categorizes this as a critical vulnerability.
Adobe would like to thank Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc.), as well as Clement Lecigne of Google for reporting CVE-2016-1019 and for working with Adobe to help protect our customers.