What is the CVSS score of CVE-2015-5119?

CVE-2015-5119 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 93.2%.

Which versions of Adobe Flash Player are affected by CVE-2015-5119?

CVE-2015-5119 is a critical remote code execution vulnerability in Adobe Flash Player affecting versions 11.x through 18.x, with confirmed active exploitation and publicly available weaponized…. A patch is available.

Is there a public PoC exploit available for CVE-2015-5119?

Yes, a public proof-of-concept exploit is available for CVE-2015-5119. Prioritise patching immediately. EPSS: 93.2%.

How to fix or mitigate CVE-2015-5119?

Within 24 hours: Identify all systems running Adobe Flash Player 11.x-18.x using asset inventory tools and disable Flash in browsers via Group Policy or browser settings. Within 7 days: Apply Adobe patch APSB15-16 to all Flash installations or complete Flash removal (recommended). Within 30 days: Verify patch deployment across 100% of endpoints and confirm Flash is removed or disabled organization-wide; audit web applications for Flash dependencies to plan permanent remediation.

Adobe Flash Player CVE-2015-5119

CRITICAL

Use After Free (CWE-416)

2015-07-08 psirt@adobe.com

Buffer Overflow Memory Corruption Denial Of Service RCE Adobe Microsoft Use After Free

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 15:33 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Nov 17, 2025 - 20:15 cisa

CISA KEV

PoC Detected

Nov 17, 2025 - 20:15 vuln.today

Public exploit code

Patch released

Nov 17, 2025 - 20:15 nvd

Patch available

CVE Published

Jul 08, 2015 - 14:59 nvd

CRITICAL 9.8

DescriptionCVE.org

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

AnalysisAI

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitrary code via crafted Flash content exploiting a use-after-free flaw in the ByteArray class. Confirmed actively exploited (CISA KEV) in July 2015 following the Hacking Team data breach, which exposed weaponized exploit code targeting this vulnerability. With EPSS score of 93.21% (100th percentile) and publicly available proof-of-concept, this represents critical risk to unpatched Flash installations across Windows, OS X, and Linux platforms. Vendor-released patches available via Adobe APSB15-16.

Technical ContextAI

This vulnerability exploits CWE-416 (use-after-free) in the ActionScript 3 ByteArray class implementation within Adobe Flash Player's runtime engine. A use-after-free occurs when memory is accessed after being freed, typically by overriding JavaScript/ActionScript valueOf functions to trigger object destruction during ongoing operations. The flaw affects Flash Player's memory management in the AS3 virtual machine (AVM2), allowing attackers to manipulate freed memory regions and redirect program execution. CPE data identifies affected versions spanning Flash Player 11.x (Linux), 13.x-14.x (Windows/OS X), and 18.x branch prior to patches. The vulnerability also impacted Red Hat Enterprise Linux 5.0 and 6.0 systems shipping bundled Flash components. The ByteArray class is fundamental to Flash's binary data handling, making this a core runtime vulnerability rather than a peripheral feature flaw.

RemediationAI

Upgrade Adobe Flash Player immediately to patched versions released in APSB15-16: version 18.0.0.203 for Windows/OS X extended support branch, 13.0.0.302 for ESR users, and 11.2.202.481 for Linux (details at https://helpx.adobe.com/security/products/flash-player/apsb15-16.html). Red Hat Enterprise Linux administrators should apply RHSA-2015-1214 via yum update flash-plugin. For systems unable to patch immediately, implement browser-based mitigations: disable Flash Player in browser settings (Chrome: chrome://settings/content/flash, Firefox: about:addons > Plugins), or configure click-to-play requiring user approval before Flash content executes. Network-level controls include blocking .swf file downloads at web proxies and deploying endpoint detection rules for ActionScript valueOf override patterns. Note that disabling Flash breaks legitimate content relying on the plugin; assess application dependencies before deployment. Given Flash's 2020 end-of-life, organizations should prioritize permanent removal over temporary mitigations.