VIR Vulnerability Intelligence Relay

CVE-2015-5118

critical
Published 2015-07-09 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3135 and CVE-2015-4432.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37880 dos linux_x86-64 verified text ยท 1 KB
Google Security Research ยท 2015-08-19

Adobe Flash - Heap Buffer Overflow Due to Indexing Error When Loading FLV File

text exploit Source: Exploit-DB 
Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

To reproduce, host the attached files appropriately, and:

http://localhost/LoadMP4.swf?file=crash3006694.flv

If there is no crash at first, refresh the page a few times.

With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:

=> 0x00007f7779846eee:	mov    %ax,(%rdi,%rdx,2)

rax            0xff69
rdi            0x7f7778b70000
rdx            0x160b

7f777861e000-7f7778b72000 rw-p 00000000 00:00 0 
7f7778b72000-7f7779228000 ---p 00000000 00:00 0 

It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37880.zip

OS impact
linux Linux kernel Fixed 1 release
VersionStatusFixed in
- Not affected โ€”
macos macOS Fixed 1 release
VersionStatusFixed in
- Not affected โ€”

Application impact
VendorProductVersionsFixed
adobe adobeflash_player{"endIncluding":"13.0.0.289"}
adobe adobeflash_player14.0.0.125
adobe adobeflash_player14.0.0.145
adobe adobeflash_player14.0.0.176
adobe adobeflash_player14.0.0.179
adobe adobeflash_player15.0.0.152
adobe adobeflash_player15.0.0.167
adobe adobeflash_player15.0.0.189
adobe adobeflash_player15.0.0.223
adobe adobeflash_player15.0.0.239
adobe adobeflash_player15.0.0.246
adobe adobeflash_player16.0.0.235
adobe adobeflash_player16.0.0.257
adobe adobeflash_player16.0.0.287
adobe adobeflash_player16.0.0.296
adobe adobeflash_player17.0.0.134
adobe adobeflash_player17.0.0.169
adobe adobeflash_player17.0.0.188
adobe adobeflash_player17.0.0.190
adobe adobeflash_player18.0.0.160
adobe adobeflash_player18.0.0.194
adobe adobeair{"endIncluding":"18.0.0.144"}
adobe adobeair_sdk{"endIncluding":"18.0.0.144"}
adobe adobeair_sdk_\&_compiler{"endIncluding":"18.0.0.144"}

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.