Adobe Flash Player
CVE-2015-8651
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.
AnalysisAI
Remote code execution in Adobe Flash Player allows network attackers to execute arbitrary code via integer overflow exploitation. Confirmed actively exploited (CISA KEV) with 88.97% EPSS score indicating extremely high real-world exploitation probability. Affects Flash Player before 18.0.0.324/20.0.0.267, Adobe AIR before 20.0.0.233, and associated SDKs across Windows, OS X, and Linux platforms. Vendor-released patches available since December 2015.
Technical ContextAI
This vulnerability stems from an integer overflow (CWE-190) in Adobe Flash Player's ActionScript Virtual Machine (AVM2) runtime engine. Integer overflows occur when arithmetic operations produce values exceeding the maximum size of the integer type, causing wraparound to small or negative values. In Flash Player, this typically manifests during memory allocation calculations where an overflowed size value leads to undersized buffer allocation. Subsequent operations writing expected amounts of data into the undersized buffer trigger heap corruption, enabling attackers to achieve memory manipulation and ultimately arbitrary code execution. The vulnerability affects the core Flash Player runtime across all major desktop platforms, plus the AIR runtime environment used for standalone Flash applications and the corresponding SDKs used by developers.
RemediationAI
Immediately upgrade to Adobe Flash Player 18.0.0.324 or later for older branches, 20.0.0.267 or later for current branches on Windows/OS X, or 11.2.202.559 or later on Linux. Upgrade Adobe AIR runtime and all SDKs to version 20.0.0.233 or later per APSB16-01. For Red Hat Enterprise Linux environments, apply RHSA-2015-2697 via yum/dnf package managers. Organizations unable to patch immediately should disable Flash Player browser plugins, implement browser-based Flash click-to-play restrictions, and block Flash content at web proxies until patching completes. Note that disabling Flash will break legacy web applications dependent on Flash functionality-catalog these dependencies before implementing controls. Long-term, migrate all Flash-dependent applications to HTML5 or modern alternatives, as Adobe ended Flash Player support in December 2020.
Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr
Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a
Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J
Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote
Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar
Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj
Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac
Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execu
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take
Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated r
The Adobe Type Manager Font Driver (ATMFD.DLL) in Windows contains a memory corruption vulnerability that allows local p
Same weakness CWE-190 – Integer Overflow or Wraparound
View allShare
External POC / Exploit Code
Leaving vuln.today