CVE-2015-3113
Published: 23 June 2015
Summary
CVE-2015-3113 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2015-3113 is a heap-based buffer overflow vulnerability, also described under CWE-787 and CWE-122, that affects Adobe Flash Player versions before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X, as well as versions before 11.2.202.468 on Linux. The flaw resides in the handling of unspecified input vectors that trigger out-of-bounds memory writes.
Remote attackers can exploit the issue over the network with no authentication or user interaction required beyond rendering malicious content, resulting in arbitrary code execution on the target system. The vulnerability received a CVSS 3.1 base score of 9.8 reflecting its critical impact on confidentiality, integrity, and availability.
Multiple vendor advisories, including those from openSUSE and Red Hat, direct administrators to apply the corresponding Flash Player updates referenced in their respective errata to eliminate the vulnerable code paths. The issue was observed being exploited in the wild during June 2015.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-3194
Vulnerability details
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild…
more
in June 2015.
- CWE(s)
- KEV Date Added
- 13 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches to eliminate the vulnerable Flash Player code paths that permit heap buffer overflows.
Restricts or authorizes execution of mobile code (Flash) and blocks unsigned or untrusted SWF content that triggers the overflow.
Deploys malicious-code detection mechanisms that can identify and block exploit payloads targeting the Flash vulnerability before code execution occurs.