Cyber Resilience

CVE-2015-8651

HighCISA KEVActive ExploitationEUVD Exploited

Published: 28 December 2015

Published
28 December 2015
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8906 99.5th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-8651 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Suse Linux Enterprise Desktop. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2015-8651 is an integer overflow, tracked as CWE-190, that affects Adobe Flash Player versions before 18.0.0.324 as well as 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux. It also impacts Adobe AIR, Adobe AIR SDK, and Adobe AIR SDK & Compiler before 20.0.0.233. The flaw received a CVSS 3.1 score of 8.8.

An attacker can exploit the issue over the network with low complexity and no authentication, provided the victim performs some user interaction, to execute arbitrary code and thereby gain full control over confidentiality, integrity, and availability on the affected system.

Security advisories published by openSUSE and Red Hat for this vulnerability direct administrators to apply the updated Flash Player and AIR packages referenced in the respective errata to remediate the exposure.

EU & UK References

Vulnerability details

Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before…

more

20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
air sdk
≤ 20.0.0.233
adobe
air sdk \& compiler
≤ 20.0.0.233
adobe
flash player
≤ 11.2.202.559 · ≤ 18.0.0.324 · 19.0.0.185 — 20.0.0.267
adobe
air
≤ 20.0.0.233
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux workstation
5.0, 6.0
opensuse
evergreen
11.4
opensuse
opensuse
13.1, 13.2
suse
linux enterprise desktop
11, 12
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor patches to remediate the integer-overflow flaw in Flash Player/AIR before exploitation occurs.

prevent

Establishes usage restrictions and implementation guidance for mobile code technologies such as Adobe Flash, blocking vulnerable versions from executing.

prevent

Enforces least functionality by disabling or removing unnecessary Flash Player/AIR components that contain the integer-overflow vulnerability.

References