Cyber Resilience

CVE-2015-3043

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 April 2015

Published
14 April 2015
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8740 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-3043 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

Adobe Flash Player versions before 13.0.0.281, 14.x through 17.x before 17.0.0.169 on Windows and OS X, and before 11.2.202.457 on Linux are affected by a memory corruption vulnerability tracked as CVE-2015-3043. The flaw, assigned CWE-787, permits arbitrary code execution or denial of service through unspecified vectors and carries a CVSS 3.1 base score of 9.8. It is distinct from multiple other Flash vulnerabilities disclosed around the same period.

Remote attackers can exploit the issue without authentication or user interaction beyond loading crafted content, enabling full system compromise or service disruption. The vulnerability was actively exploited in the wild during April 2015.

Security advisories from OpenSUSE and Red Hat direct administrators to apply vendor-supplied updates that address the flaw in affected Flash Player releases. These updates are distributed through standard package management channels for the respective Linux distributions.

The issue saw confirmed real-world exploitation shortly after disclosure, underscoring the urgency of patching internet-facing systems that still run the vulnerable plugin.

EU & UK References

Vulnerability details

Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited…

more

in the wild in April 2015, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.457 · ≤ 13.0.0.281 · 14.0.0.125 — 17.0.0.169
novell
suse linux enterprise desktop
11.0, 12.0
novell
suse linux enterprise workstation extension
12.0
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
6.6
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server aus
6.6
redhat
enterprise linux server from rhui
5.0, 6.0
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the memory-corruption flaw in vulnerable Flash Player versions.

prevent

Enforces least functionality by disabling or removing the Flash Player plugin, eliminating the attack surface for remote exploitation.

prevent

Deploys malicious-code protections that can block or sandbox the crafted SWF content used to trigger the memory corruption.

References