CVE-2015-5122
Published: 14 July 2015
Summary
CVE-2015-5122 is a critical-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a use-after-free flaw in the DisplayObject class of the ActionScript 3 implementation in Adobe Flash Player. It affects versions 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations, arising from improper handling of the opaqueBackground property and tracked as CWE-416.
Remote attackers can exploit the issue by serving crafted Flash content to victims, achieving arbitrary code execution or denial of service via memory corruption. The vulnerability carries a CVSS score of 9.8 and was exploited in the wild in July 2015.
Vendor security advisories, including multiple OpenSUSE announcements and related bulletins, address mitigation through updated Flash Player packages that resolve the use-after-free condition.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-5137
Vulnerability details
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through…
more
18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.
- CWE(s)
- KEV Date Added
- 13 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the use-after-free flaw in Flash Player.
Restricts or disables execution of untrusted mobile code (Flash/AS3) that is the attack vector for this CVE.
Enforces least functionality by removing or disabling Flash Player when it is not an essential capability, eliminating the vulnerable component.