CVE DATABASE / CVE-2015-5123

CVE-2015-5123

Adobe Flash Player Use-After-Free Vulnerability

CVSS 9.8 · CRITICAL ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2022-04-13. Federal remediation due 2022-05-04.
Required action: The impacted product is end-of-life and should be disconnected if still in use.

Summary

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

CVSS 3.1 breakdown

Base score	9.8 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-416

Affected products

Redhat enterprise linux desktopRedhat enterprise linux serverRedhat enterprise linux server eusRedhat enterprise linux workstationOpensuse evergreenSuse linux enterprise desktopSuse linux enterprise workstation extensionAdobe flash playerLinux linux kernelAdobe flash player desktop runtimeApple macosMicrosoft windows

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-04-21. Always verify against the vendor advisory before acting.