{"id":3527,"date":"2025-05-08T01:02:33","date_gmt":"2025-05-08T01:02:33","guid":{"rendered":"http:\/\/localhost\/?p=3527"},"modified":"2025-05-08T01:02:33","modified_gmt":"2025-05-08T01:02:33","slug":"cve-2012-1535-adobe-flash-player-113-kern-table-parsing-integer-overflow","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=3527","title":{"rendered":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow"},"content":{"rendered":"<h2>Security Update News<\/h2>\n<h3>Update Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Update ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">AKB:EA2FE8E1-D679-484F-84C3-70E4EB42E291<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">attackerkb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-07T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Last Updated<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-07T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>Security Impact<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">7.8<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #ff4444; font-weight: bold;\">HIGH<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Attack Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">LOCAL<\/td>\n<\/tr>\n<\/table>\n<h3>Affected CVEs<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<li>CVE-2012-1535<\/li>\n<\/ul>\n<\/div>\n<h3>Update Details<\/h3>\n<div style=\"; padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nUnspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.<\/p>\n<p>**Recent assessments:**  <\/p>\n<p>**wchen-r7** at September 12, 2019 6:07pm UTC reported:<\/p>\n<p>HERE<\/p>\n<p>    The first offset (0x7800) doesn&#8217;t seem to point to anything meanful in 010 editor. But the second<br \/>    one (0x8340) falls into the &#8220;kern&#8221; table section:<\/p>\n<p>    struct tTable Table[8]\tkern (1801810542) at 33604 for 15852\t8Ch\t10h\tFg:<br \/>    union Tag\t\t8Ch\t4h\tFg:<br \/>    ULONG checkSum\tA466AE58h\t90h\t4h\tFg:<br \/>    ULONG offset\t8344h\t94h\t4h\tFg:<br \/>    ULONG length\t3DECh\t98h\t4h\tFg:<\/p>\n<p>    The 010 TFF template can&#8217;t seem to parse the kern table properly. But we can do it manually.<br \/>    According to the TFF specs found at developer.apple.com:<\/p>\n<p>    \thttps:\/\/developer.apple.com\/fonts\/TTRefMan\/RM06\/Chap6kern.html<\/p>\n<p>    Table 25: &#8216;kern&#8217; header<br \/>    Type\tName\tDescription<br \/>    fixed32\tversion\tThe version number of the kerning table (0x00010000 for the current version).<br \/>    uint32\tnTables\tThe number of subtables included in the kerning table.<\/p>\n<p>    So let&#8217;s look at line 0x00008340 again:<\/p>\n<p>    $ cat PSPop.otf |hexdump -C |grep 00008340<br \/>    00008340  00 00 00 00 00 01 00 00  10 00 00 00 1e 0c ff e8  |&#8230;&#8230;&#8230;&#8230;&#8230;.|<br \/>                             ^Version  ^ nTables<\/p>\n<p>    Our DEP-bypass strategy is by remotely detecting the Flash version (which can be fingerprinted by<br \/>    checking the &#8216;x-flash-version&#8217; header), and then return the payload &#8212; including the ROP chain<br \/>    specific to that Flash version.  If we don&#8217;t have a suitable ROP chain for a Flash version, we<br \/>    return a JRE ROP chain instead.  One possible drawback while using the Flash ROP is that the Flash<br \/>    ocx can rebase. For example: if the victim machine has Adobe PDF installed, it is possible<br \/>    AcroIEHelperShim.dll can push the Flash ActiveX component out of 0x10000000, and then cause the<br \/>    exploit to fail. Other components could also do the same.<\/p>\n<p>    Note: Integer overflow probably needs to be explained better<\/p>\n<p>    # The Integer Overflow<\/p>\n<p>    Flash Version used to document the Integer Overflow: 11.3.300.268<\/p>\n<p>    * 10h bytes are reserved to store the Kern Header Info:<\/p>\n<p>.text:104418A3 mov eax, [ebp+Allocator]  <br \/>.text:104418A6 push 10h ; Size to allocate  <br \/>.text:104418A8 push eax  <br \/>.text:104418A9 call dword ptr [eax] ; Allocate memory for the Kern Header Info  <br \/>.text:104418AB mov esi, eax  <br \/>.text:104418AD pop ecx  <br \/>.text:104418AE pop ecx  <br \/>.text:104418AF mov [ebp+Kern_Header_1_var_C], esi<\/p>\n<p>    * The Kern Header is filled with the next data:<\/p>\n<p>[esi] => Allocator  <br \/>[esi + 4] => Stream  <br \/>[esi + 8] => nTables  <br \/>[esi + C] => pointer to SubTables<\/p>\n<p>.text:104418C0 mov eax, [ebp+stream]  <br \/>.text:104418C3 mov ecx, [ebp+Allocator]  <br \/>.text:104418C6 mov [esi+8], eax ; nTables  <br \/>.text:104418C9 shl eax, 4 ; \u00a1\u00a1\u00a1Integer Overflow!!!!  <br \/>.text:104418CC push eax ; Size to allocate for nTables  <br \/>.text:104418CD push ecx  <br \/>.text:104418CE mov [esi], ecx ; allocator  <br \/>.text:104418D0 mov [esi+4], edi ; stream<\/p>\n<p>    The nTables value suffers from an Integer Overflow on 104418C9 and the calculation is used to reserve memory<br \/>    to store the nTables. Basically it&#8217;s trying to get 0x10 bytes by every nTable:<\/p>\n<p>.text:104418D3 call dword ptr [ecx] ; Allocate Memory for nTables<\/p>\n<p>    And the pointer to the reserved Memory is stored in [esi+0ch]:<\/p>\n<p>.text:104418D5 pop ecx  <br \/>.text:104418D6 pop ecx  <br \/>.text:104418D7 xor ecx, ecx  <br \/>.text:104418D9 mov [esi+0Ch], eax ; Memory Allocated for the nTables, after the Integer Overflow\u2026<\/p>\n<p>    How is memory allocated when there is an Integer Overlow? Just a Sample:<\/p>\n<p>    * kern Table Header<\/p>\n<p>Breakpoint 0 hit  <br \/>eax=025fc1b0 ebx=00000008 ecx=00000000 edx=00003dec esi=00000000 edi=025f8250  <br \/>eip=104418a9 esp=0013dadc ebp=0013db08 iopl=0 nv up ei pl nz na pe nc  <br \/>cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206  <br \/>Flash32_11_3_300_268!DllUnregisterServer+0x285e47:  <br \/>104418a9 ff10 call dword ptr [eax] ds:0023:025fc1b0=8d440310  <br \/>0:000> p  <br \/>eax=025fd760 ebx=00000008 ecx=1088c214 edx=00000000 esi=00000000 edi=025f8250  <br \/>eip=104418ab esp=0013dadc ebp=0013db08 iopl=0 nv up ei pl zr na pe nc  <br \/>cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040246  <br \/>Flash32_11_3_300_268!DllUnregisterServer+0x285e49:  <br \/>104418ab 8bf0 mov esi,eax<\/p>\n<p>    So Memory for the Kern Table Header is allocated at: 025fd760<\/p>\n<p>    * nTables:<\/p>\n<p>eax=00000000 ebx=00000008 ecx=025fc1b0 edx=00000000 esi=025fd760 edi=025f8250  <br \/>eip=104418d3 esp=0013dadc ebp=0013db08 iopl=0 nv up ei pl zr na pe cy  <br \/>cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040247  <br \/>Flash32_11_3_300_268!DllUnregisterServer+0x285e71:  <br \/>104418d3 ff11 call dword ptr [ecx] ds:0023:025fc1b0=8d440310  <br \/>0:000> p  <br \/>eax=025f9038 ebx=00000008 ecx=1088c1cc edx=00000000 esi=025fd760 edi=025f8250  <br \/>eip=104418d5 esp=0013dadc ebp=0013db08 iopl=0 nv up ei pl zr na pe nc  <br \/>cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040246  <br \/>Flash32_11_3_300_268!DllUnregisterServer+0x285e73:  <br \/>104418d5 59 pop ecx<\/p>\n<p>    Memory for nTables is (incorrectly) allocated at: 025f9038<\/p>\n<p>    The crafted OTF font file has 0x10000000 nTables, and for every nTable 0x10 bytes<br \/>    are filled, it wants to say that, after<\/p>\n<p>025fd760 \u2013 025f9038 => 0x4728 \/ 0x10h => 0x472 (ENTRIES)<\/p>\n<p>    So after 0x472 entries, the memory for the kern Table Header should be<br \/>    overwritten. Having into account that the nTables memory is filled in a loop,<br \/>    after 0x472 loops, the Kern Header Table will be overwritten. It is interesting<br \/>    because the nTables value stored in the kern Header Table (offset +8) is used<br \/>    as condition to leave the copy loop:<\/p>\n<p>.text:104419C3 inc [ebp+counter_nTables_Read_var_8]  <br \/>.text:104419C6 mov eax, [ebp+Kern_Header_1_var_C]  <br \/>.text:104419C9 mov ecx, [ebp+counter_nTables_Read_var_8]  <br \/>.text:104419CC add [ebp+data_nTables_copied_var_4], 10h  <br \/>.text:104419D0 add ebx, [ebp+var_18]  <br \/>.text:104419D3 mov esi, eax  <br \/>.text:104419D5 cmp ecx, [eax+8] ; comparing ecx with nTables  <br \/>.text:104419D8 jb loc_10441906 ; copy loop<\/p>\n<p>    In every loop 0x10 bytes are filled. In order to understand how memory is overwritten<br \/>    we can put the next breakpoints:<\/p>\n<p>bp 10441964 \u201c.echo Offset 0; r esi; r eax; g\u201d  <br \/>bp 10441921 \u201c.echo Offset 4; r esi; r ebx; g\u201d  <br \/>bp 10441973 \u201c.echo Offset 8; r esi; r eax; g\u201d  <br \/>bp 104419A6 \u201c.echo Offset C; r esi; r eax; g\u201d  <br \/>bp 104419D5 \u201c.echo Counter; r ecx; g\u201d<\/p>\n<p>    The file debug_flash.txt contains a debugged session to understand how nTables are filled. The<br \/>    data is partialy controlled from the OTF font file. The pattern is the next one:<\/p>\n<p>025fb138 00000000 1e0cfff0 1e0d0000 ffffffff  <br \/>025fb148 00000000 1e0cfff0 1e0d0000 ffffffff  <br \/>025fb158 00000000 1e0cfff0 1e0d0000 ffffffff<\/p>\n<p>                   ^^^^^^^^ ^^^^^^^^<br \/>                    controlled data<\/p>\n<p>    When the Kern header is overwritten it&#8217;s what happens when comparing the ecx counter with the<br \/>    nTables stored value:<\/p>\n<p>ecx=00000474  <br \/>eax + 8 => 025fd768 00000000<\/p>\n<p>    So it goes away from the loop, with the Kern Header Table filled with the next data:<\/p>\n<p>0:000> dd 025fd760 L4  <br \/>025fd760 1e0d0000 ffffffff 00000000 1e0cfff0<\/p>\n<p>    Once the function returns, it is what happens:<\/p>\n<p>.text:104354DF call overflow_sub_1044184C ; it manages the kern table  <br \/>.text:104354E4 add esp, 0Ch ; we\u2019re returning here  <br \/>.text:104354E7 mov [esi+0F8h], eax  <br \/>.text:104354ED  <br \/>.text:104354ED loc_104354ED: ; CODE XREF: sub_10435420+BAj  <br \/>.text:104354ED mov eax, [esi+4]  <br \/>.text:104354F0 push \u2018GDEF\u2019  <br \/>.text:104354F5 push dword ptr [esi+8]  <br \/>.text:104354F8 push eax  <br \/>.text:104354F9 push edi  <br \/>.text:104354FA push ebx  <br \/>.text:104354FB call dword ptr [eax+20h] ; get control<\/p>\n<p>    Once we return from overflow_sub_1044184C starts the parsing of the GDEF table (also related<br \/>    to OTF parsing), on 104354FB control can be achieved:<\/p>\n<p>Breakpoint 0 hit  <br \/>eax=029fb360 ebx=029fc1b0 ecx=00000472 edx=00000000 esi=02b8c020 edi=0013db80  <br \/>eip=104354fb esp=0013db08 ebp=0013db30 iopl=0 nv up ei pl nz na po nc  <br \/>cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040202  <br \/>Flash32_11_3_300_268!DllUnregisterServer+0x279a99:  <br \/>104354fb ff5020 call dword ptr [eax+20h] ds:0023:029fb380=00000d1e  <br \/>0:000> dd eax  <br \/>029fb360 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb370 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb380 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb390 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3a0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3b0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3c0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3d0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>0:000> dd eax + 20  <br \/>029fb380 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb390 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3a0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3b0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3c0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3d0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3e0 1e0d0000 ffffffff 00000000 1e0cfff0  <br \/>029fb3f0 1e0d0000 ffffffff 00000000 1e0cfff0<\/p>\n<p>    EAX comes from ESI+4:<\/p>\n<p>0:000> dd esi  <br \/>02b8c020 029fc1b0 029fb360 00000000 00000000<\/p>\n<p>                   ^^^^^^^^<\/p>\n<p>02b8c030 00000000 00000000 00000000 00000000  <br \/>02b8c040 029fd710 029ff4d0 00000000 00020001  <br \/>02b8c050 00040003 00060005 00080007 000a0009  <br \/>02b8c060 000c000b 000e000d 0010000f 00120011  <br \/>02b8c070 00140013 00160015 00180017 001a0019  <br \/>02b8c080 001c001b 001e001d 0020001f 00220021  <br \/>02b8c090 00240023 00260025 00280027 002a0029<\/p>\n<p>    As a sample in a use case it is what happens:<\/p>\n<p>    * Memory allocated for kern header table: 028fd740<br \/>    * Memory allocated for subtables: 028f9038<br \/>    * ESI+4h => 028fb360<\/p>\n<p>028F9038 => SUBTABLES  <br \/>. |  <br \/>. |  <br \/>028fb360 => Interesting pointer overwritten | Overflow!  <br \/>. |  <br \/>. |  <br \/>028fd740 => Kern header \\\/  <br \/>\u201d`<\/p>\n<p>Assessed Attacker Value: 0  <br \/>Assessed Attacker Value: 0Assessed Attacker Value: 0\n<\/div>\n<p><a href=\"https:\/\/attackerkb.com\/topics\/1S6wpZniKk\/cve-2012-1535-adobe-flash-player-11-3-kern-table-parsing-integer-overflow\" target=\"_blank\" style=\"display: inline-block; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Update News Update Information Title CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow Update ID AKB:EA2FE8E1-D679-484F-84C3-70E4EB42E291 Type attackerkb Published 2025-05-07T00:00:00 Last Updated&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[103,6,8,28,12,15,13,7,11,5],"class_list":["post-3527","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-attackerkb","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3527\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow Update ID AKB:EA2FE8E1-D679-484F-84C3-70E4EB42E291 Type attackerkb Published 2025-05-07T00:00:00 Last Updated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3527\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T01:02:33+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow\",\"datePublished\":\"2025-05-08T01:02:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527\"},\"wordCount\":1503,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"attackerkb\",\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3527#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527\",\"name\":\"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-08T01:02:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3527\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3527#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3527","og_locale":"en_US","og_type":"article","og_title":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem","og_description":"Security Update News Update Information Title CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow Update ID AKB:EA2FE8E1-D679-484F-84C3-70E4EB42E291 Type attackerkb Published 2025-05-07T00:00:00 Last Updated...","og_url":"https:\/\/zero.redgem.net\/?p=3527","og_site_name":"zero redgem","article_published_time":"2025-05-08T01:02:33+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3527#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3527"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow","datePublished":"2025-05-08T01:02:33+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3527"},"wordCount":1503,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["attackerkb","CVE","CVSS","CVSS-7.8","exploit","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3527#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3527","url":"https:\/\/zero.redgem.net\/?p=3527","name":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-08T01:02:33+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3527#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3527"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3527#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"CVE-2012-1535 Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3527"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3527\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}