Back
CVE-2015-5119
CRITICAL
CISA KEV
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
Published: Jul 8, 2015
Modified: Apr 21, 2026
CWE-416
CWE-416
CVSS Metrics
CVSSv3
Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products (20)
| Vendor | Product | Version |
|---|---|---|
| adobe | flash_player | * ≥ 13.0.0.182 |
| adobe | flash_player | * ≥ 14.0.0.125 |
| adobe | flash_player | * |
| redhat | enterprise_linux_desktop | 5.0 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_eus | 6.6 |
| redhat | enterprise_linux_server | 5.0 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_server_aus | 6.6 |
| redhat | enterprise_linux_server_from_rhui | 5.0 |
| redhat | enterprise_linux_server_from_rhui | 6.0 |
| redhat | enterprise_linux_workstation | 5.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| opensuse | evergreen | 11.4 |
| opensuse | opensuse | 13.1 |
| opensuse | opensuse | 13.2 |
| suse | linux_enterprise_desktop | 11 |
| suse | linux_enterprise_desktop | 11 |
| suse | linux_enterprise_desktop | 12 |
| suse | linux_enterprise_workstation_extension | 12 |
GitHub Security Advisory GHSA-3792-ff84-674w
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in...
References (34)
- http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/ Broken Link
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html Mailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.html Mailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html Mailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html Mailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1214.html Third Party Advisory
- http://twitter.com/w3bd3vil/statuses/618168863708962816 Broken Link
- http://www.kb.cert.org/vuls/id/561288 Third Party Advisory, US Government Resource
- http://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf Third Party Advisory
- http://www.securityfocus.com/bid/75568 Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1032809 Broken Link, Third Party Advisory, VDB Entry
- http://www.us-cert.gov/ncas/alerts/TA15-195A Third Party Advisory, US Government Resource
- https://helpx.adobe.com/security/products/flash-player/apsa15-03.html Broken Link, Patch, Vendor Advisory
- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html Broken Link, Patch, Vendor Advisory
- https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-After-Free.html Exploit, Third Party Advisory, VDB Entry
Risk Scores
CVSS Score
9.8 / 10
EPSS Score
93.21%
Top 0% most likely to be exploited
Threat Score
97.2 / 100
CISA Known Exploited
Date Added:
2022-03-03
Due Date:
2022-03-24
Required Action:
The impacted product is end-of-life and should be disconnected if still in use.
Data Sources
NVD
CISA KEV
EPSS
GitHub