CVE-2015-5122

CRITICAL CISA KEV

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

Published: Jul 14, 2015 Modified: Apr 21, 2026

CWE-416 CWE-416

CVSS Metrics

CVSSv3

Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: NONE Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products (19)

Vendor	Product	Version
adobe	flash_player	* ≥ 13.0
adobe	flash_player	* ≥ 18.0
adobe	flash_player_desktop_runtime	* ≥ 18.0
adobe	flash_player	* ≥ 18.0
adobe	flash_player	* ≥ 18.0
adobe	flash_player	* ≥ 18.0
adobe	flash_player	* ≥ 11.0
redhat	enterprise_linux_desktop	5.0
redhat	enterprise_linux_desktop	6.0
redhat	enterprise_linux_server	5.0
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_server_eus	6.6
redhat	enterprise_linux_workstation	5.0
redhat	enterprise_linux_workstation	6.0
opensuse	evergreen	11.4
suse	linux_enterprise_desktop	11
suse	linux_enterprise_desktop	11
suse	linux_enterprise_desktop	12
suse	linux_enterprise_workstation_extension	12

GitHub Security Advisory GHSA-9h3m-vp3m-35pw

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3)...

References (42)

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00028.html Mailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00029.html Mailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00032.html Mailing List, Third Party Advisory
http://marc.info/?l=bugtraq&m=144050155601375&w=2 Mailing List, Third Party Advisory
http://packetstormsecurity.com/files/132663/Adobe-Flash-opaqueBackground-Use-After-Free.html Exploit, Third Party Advisory, VDB Entry
http://rhn.redhat.com/errata/RHSA-2015-1235.html Third Party Advisory
http://www.kb.cert.org/vuls/id/338736 Third Party Advisory, US Government Resource
http://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_opaque_background_uaf Third Party Advisory
http://www.securityfocus.com/bid/75712 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1032890 Broken Link, Third Party Advisory, VDB Entry
http://www.us-cert.gov/ncas/alerts/TA15-195A Third Party Advisory, US Government Resource
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04796784 Broken Link, Third Party Advisory
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952467 Third Party Advisory
https://helpx.adobe.com/security/products/flash-player/apsa15-04.html Broken Link, Vendor Advisory
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html Broken Link, Vendor Advisory

Risk Scores

CVSS Score 9.8 / 10

EPSS Score 92.70%

Top 0% most likely to be exploited

Threat Score 97 / 100

CISA Known Exploited

Date Added: 2022-04-13

Due Date: 2022-05-04

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

Data Sources

NVD CISA KEV EPSS GitHub