CVE-2015-0313
Published: 02 February 2015
Summary
CVE-2015-0313 is a critical-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors. The flaw is tracked as CWE-416 and carries a CVSS 3.1 base score of 9.8. It is distinct from CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.
Remote attackers can exploit the issue without authentication or user interaction beyond visiting a malicious page or opening a crafted document containing Flash content. Successful exploitation grants arbitrary code execution on the affected system. The vulnerability was observed being exploited in the wild in February 2015.
OpenSUSE security advisories referenced in the CVE entry direct users to updated Flash Player packages that resolve the use-after-free condition. Additional references, including exploit artifacts on Packet Storm, confirm the availability of patches that bring installations to the fixed versions listed in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-0326
Vulnerability details
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in…
more
February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.
- CWE(s)
- KEV Date Added
- 13 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the use-after-free condition in Flash Player.
Restricts or authorizes execution of mobile code (Flash SWF content) that remote attackers use to trigger the vulnerability.
Malicious-code protection mechanisms can block or detect exploit payloads delivered through Flash before arbitrary code executes.