Cyber Resilience

CVE-2015-0313

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 02 February 2015

Published
02 February 2015
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9254 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-0313 is a critical-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors. The flaw is tracked as CWE-416 and carries a CVSS 3.1 base score of 9.8. It is distinct from CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

Remote attackers can exploit the issue without authentication or user interaction beyond visiting a malicious page or opening a crafted document containing Flash content. Successful exploitation grants arbitrary code execution on the affected system. The vulnerability was observed being exploited in the wild in February 2015.

OpenSUSE security advisories referenced in the CVE entry direct users to updated Flash Player packages that resolve the use-after-free condition. Additional references, including exploit artifacts on Packet Storm, confirm the availability of patches that bring installations to the fixed versions listed in the CVE description.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in…

more

February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.442 · ≤ 13.0.0.269 · 14.0.0.125 — 16.0.0.305
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
11, 12
suse
linux enterprise workstation extension
12
microsoft
internet explorer
10, 11
microsoft
edge
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the use-after-free condition in Flash Player.

prevent

Restricts or authorizes execution of mobile code (Flash SWF content) that remote attackers use to trigger the vulnerability.

preventdetect

Malicious-code protection mechanisms can block or detect exploit payloads delivered through Flash before arbitrary code executes.

References