CVE-2015-5122

CRITICAL KEV RANSOMWARE

Adobe Flash opaqueBackground Use After Free

Title source: metasploit

Description

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/37599
vulncheck_xdb WORKING POC
client-side
https://github.com/Xattam1/Adobe-Flash-Exploits_17-18
metasploit WORKING POC GREAT
by Unknown, juan vazquez, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb

References (22)

... and 2 more

Scores

CVSS v3 9.8
EPSS 0.9278
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-04-13
VulnCheck KEV 2015-07-05
InTheWild.io 2015-07-05
ENISA EUVD EUVD-2015-5137
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (15)
adobe/flash_player 11.0 - 11.2.202.481
adobe/flash_player 13.0 - 13.0.0.302
adobe/flash_player 18.0 - 18.0.0.203 (3 CPE variants)
adobe/flash_player_desktop_runtime 18.0 - 18.0.0.203
opensuse/evergreen 11.4
redhat/enterprise_linux_desktop 5.0
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_server 5.0
redhat/enterprise_linux_server 6.0
redhat/enterprise_linux_server_eus 6.6
... and 5 more
Published Jul 14, 2015
KEV Added Apr 13, 2022
Tracked Since Feb 18, 2026