VIR Vulnerability Intelligence Relay

CVE-2015-5562

critical
Published 2015-08-14 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-5554, CVE-2015-5555, and CVE-2015-5558.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37881 dos windows_x86 verified text ยท 1 KB
Google Security Research ยท 2015-08-19

Adobe Flash - Shared Object Type Confusion

text exploit Source: Exploit-DB 
Source: https://code.google.com/p/google-security-research/issues/detail?id=434&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A PoC is as follows:

class subso extends Sound{

	public function subso(f){
			
	super("_level0.test");
	var n = {valueOf : func};
	_global.func = f;
	_global.t = this;
	var f2 = this.loadSound;
	f2.call(this, n, 1);
}

function func(){
	
	_global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
	return 1;
	}
}
	

A sample fla, swf and AS file are attached. Note that this PoC needs to be hosted on a webserver to work and only works on 32-bit systems (tested on Windows Chrome). song1.mp3 should be put in the same folder on the server as the swf, it is needed for loadSound to work. This bug is likely only exploitable on 32-bit systems due to how the type-confused fields line up.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37881.zip

OS impact
linux Linux kernel Fixed 1 release
VersionStatusFixed in
- Not affected โ€”
macos macOS Fixed 1 release
VersionStatusFixed in
- Not affected โ€”

Application impact
VendorProductVersionsFixed
adobe adobeflash_player{"endIncluding":"18.0.0.209"}
adobe adobeair{"endIncluding":"18.0.0.180"}
adobe adobeair_sdk{"endIncluding":"18.0.0.180"}
adobe adobeair_sdk_\&_compiler{"endIncluding":"18.0.0.180"}

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.