VIR Vulnerability Intelligence Relay

CVE-2015-5544

critical
Published 2015-08-14 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5545, CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549, CVE-2015-5552, and CVE-2015-5553.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37866 dos linux verified text ยท 2 KB
Google Security Research ยท 2015-08-19

Adobe Flash - Pointer Crash in Drawing and Bitmap Handling

text exploit Source: Exploit-DB 
Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.

A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf

The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf

The crash on 64-bit Linux looks like this:

=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)

rax            0x83071500ff0300	36881008741516032

If we trace through the usages of %rax, we can get to some bad writes pretty easily:

=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)
   0x00007f69314b8f84:	je     0x7f69314b8fa0
...
   0x00007f69314b8fa0:	mov    (%rax),%rdi      <-- rdi compromised
   0x00007f69314b8fa3:	callq  0x7f69314b8810
...
   0x00007f69314b8810:	mov    (%rsi),%edx
   0x00007f69314b8812:	cmp    $0x7ffffff,%edx
   0x00007f69314b8818:	je     0x7f69314b8862
   0x00007f69314b881a:	mov    0x10(%rdi),%eax
   0x00007f69314b881d:	cmp    $0x7ffffff,%eax
   0x00007f69314b8822:	je     0x7f69314b8868
   0x00007f69314b8824:	sub    $0x1,%edx
   0x00007f69314b8827:	cmp    %eax,%edx
   0x00007f69314b8829:	cmovg  %eax,%edx
   0x00007f69314b882c:	mov    0x14(%rdi),%eax
   0x00007f69314b882f:	mov    %edx,0x10(%rdi)  <---- rdi written to

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip

OS impact
linux Linux kernel Fixed 1 release
VersionStatusFixed in
- Not affected โ€”
macos macOS Fixed 1 release
VersionStatusFixed in
- Not affected โ€”

Application impact
VendorProductVersionsFixed
adobe adobeair{"endIncluding":"18.0.0.180"}
adobe adobeair_sdk{"endIncluding":"18.0.0.180"}
adobe adobeair_sdk_\&_compiler{"endIncluding":"18.0.0.180"}
adobe adobeflash_player{"endIncluding":"18.0.0.209"}

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.