Cyber Resilience

CVE-2015-5122

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 July 2015

Published
14 July 2015
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9270 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-5122 is a critical-severity Use After Free (CWE-416) vulnerability in Adobe Flash Player. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw in the DisplayObject class of the ActionScript 3 implementation in Adobe Flash Player. It affects versions 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations, arising from improper handling of the opaqueBackground property and tracked as CWE-416.

Remote attackers can exploit the issue by serving crafted Flash content to victims, achieving arbitrary code execution or denial of service via memory corruption. The vulnerability carries a CVSS score of 9.8 and was exploited in the wild in July 2015.

Vendor security advisories, including multiple OpenSUSE announcements and related bulletins, address mitigation through updated Flash Player packages that resolve the use-after-free condition.

EU & UK References

Vulnerability details

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through…

more

18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
13.0 — 13.0.0.302 · 18.0 — 18.0.0.203 · 18.0 — 18.0.0.204
adobe
flash player desktop runtime
18.0 — 18.0.0.203
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server eus
6.6
redhat
enterprise linux workstation
5.0, 6.0
opensuse
evergreen
11.4
suse
linux enterprise desktop
11, 12
suse
linux enterprise workstation extension
12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the use-after-free flaw in Flash Player.

prevent

Restricts or disables execution of untrusted mobile code (Flash/AS3) that is the attack vector for this CVE.

prevent

Enforces least functionality by removing or disabling Flash Player when it is not an essential capability, eliminating the vulnerable component.

References