Cyber Resilience

CVE-2015-0310

HighCISA KEVActive ExploitationEUVD Exploited

Published: 23 January 2015

Published
23 January 2015
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1011 93.3th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-0310 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions prior to 13.0.0.262, 14.x through 16.x prior to 16.0.0.287 on Windows and OS X, and prior to 11.2.202.438 on Linux contain a flaw that fails to properly restrict discovery of memory addresses. This weakness is tracked under CVE-2015-0310 with a CVSS 3.1 base score of 7.8 and is associated with CWE-200 information disclosure.

Attackers can leverage the issue through unknown vectors to bypass ASLR on Windows systems and obtain an unspecified impact on other platforms. The vulnerability was actively exploited in the wild during January 2015, enabling local attackers with the ability to supply crafted Flash content to weaken memory protections and facilitate further compromise.

Adobe addressed the flaw in security bulletin APSB15-02, which provides updated Flash Player builds for all affected platforms; multiple Secunia advisories also reference the same remediation steps and urge immediate application of the patches. The issue saw real-world exploitation shortly after disclosure, underscoring the need for rapid deployment of the vendor fixes.

EU & UK References

Vulnerability details

Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows,…

more

and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.438 · ≤ 13.0.0.262 · 14.0 — 16.0.0.287

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the memory-address disclosure flaw in Adobe Flash Player.

prevent

Enforces memory-protection mechanisms such as ASLR that the vulnerability is explicitly designed to bypass.

SC-18 Mobile Code partial match
prevent

Restricts use of mobile code (Flash) and thereby reduces the attack surface that supplies the crafted content used to exploit the flaw.

References