Cyber Resilience

CVE-2015-3113

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 23 June 2015

Published
23 June 2015
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9241 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-3113 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2015-3113 is a heap-based buffer overflow vulnerability, also described under CWE-787 and CWE-122, that affects Adobe Flash Player versions before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X, as well as versions before 11.2.202.468 on Linux. The flaw resides in the handling of unspecified input vectors that trigger out-of-bounds memory writes.

Remote attackers can exploit the issue over the network with no authentication or user interaction required beyond rendering malicious content, resulting in arbitrary code execution on the target system. The vulnerability received a CVSS 3.1 base score of 9.8 reflecting its critical impact on confidentiality, integrity, and availability.

Multiple vendor advisories, including those from openSUSE and Red Hat, direct administrators to apply the corresponding Flash Player updates referenced in their respective errata to eliminate the vulnerable code paths. The issue was observed being exploited in the wild during June 2015.

EU & UK References

Vulnerability details

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild…

more

in June 2015.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 13.0.0.296 · 14.0.0.125 — 18.0.0.194 · ≤ 11.2.202.468
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
12
suse
linux enterprise workstation extension
12
hp
insight orchestration
≤ 7.5.0
hp
system management homepage
≤ 7.5.0
hp
systems insight manager
≤ 7.5
hp
version control agent
≤ 7.5.0
hp
version control repository manager
7.6 · ≤ 7.5.0
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches to eliminate the vulnerable Flash Player code paths that permit heap buffer overflows.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes execution of mobile code (Flash) and blocks unsigned or untrusted SWF content that triggers the overflow.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block exploit payloads targeting the Flash vulnerability before code execution occurs.

References