Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.
Published 2015-07-14 10:59:00
Updated 2024-07-02 17:42:40
View at NVD,   CVE.org
Vulnerability category: Memory CorruptionExecute codeDenial of service

Products affected by CVE-2015-5122

CVE-2015-5122 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Adobe Flash Player Use-After-Free Vulnerability
CISA required action:
The impacted product is end-of-life and should be disconnected if still in use.
CISA description:
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service (DoS).
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2015-5122
Added on 2022-04-13 Action due date 2022-05-04

Exploit prediction scoring system (EPSS) score for CVE-2015-5122

96.96%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2015-5122

  • Adobe Flash opaqueBackground Use After Free
    Disclosure Date: 2015-07-06
    First seen: 2020-04-26
    exploit/multi/browser/adobe_flash_opaque_background_uaf
    This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.displ

CVSS scores for CVE-2015-5122

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
10.0
HIGH AV:N/AC:L/Au:N/C:C/I:C/A:C
10.0
10.0
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST 2024-07-02

CWE ids for CVE-2015-5122

  • The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-5122

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!