Cyber Resilience

CVE-2015-5123

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2015

Published
14 July 2015
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4100 97.5th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-5123 is a critical-severity Use After Free (CWE-416) vulnerability in Suse Linux Enterprise Desktop. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-5123 is a use-after-free vulnerability in the BitmapData class of the ActionScript 3 implementation in Adobe Flash Player. Affected versions include 13.x through 13.0.0.302 and 14.x through 18.0.0.203 on Windows and OS X, along with 11.x through 11.2.202.481 and 12.x through 18.0.0.204 on Linux and Linux Chrome installations. The flaw is tracked as CWE-416 and received a CVSS 3.1 score of 9.8.

Remote attackers can exploit the issue by serving crafted Flash content that overrides a valueOf function, resulting in arbitrary code execution or denial of service via memory corruption. No user interaction or authentication is required for successful exploitation over the network.

OpenSUSE security advisories reference patches and updated packages to address the vulnerability. The issue was exploited in the wild in July 2015 and surfaced publicly through the Hacking Team leak.

EU & UK References

Vulnerability details

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through…

more

18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server eus
6.6
redhat
enterprise linux workstation
5.0, 6.0
opensuse
evergreen
11.4
suse
linux enterprise desktop
11, 12
suse
linux enterprise workstation extension
12
adobe
flash player
11.0 — 11.2.202.481 · 13.0 — 13.0.0.302 · 18.0 — 18.0.0.203
adobe
flash player desktop runtime
18.0 — 18.0.0.203

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts use of mobile code technologies such as Flash and blocks execution of untrusted AS3 content that triggers the use-after-free flaw.

prevent

Requires prompt installation of vendor patches that eliminate the BitmapData use-after-free condition in affected Flash Player versions.

prevent

Enforces least functionality by disabling or removing the Flash Player plug-in entirely when its capabilities are not required.

References