How to fix CVE-2015-8651?

Within 24 hours: Identify all affected systems running Adobe Flash Player and apply vendor patches immediately. Vendor patch is available.

Is Windows affected by CVE-2015-8651?

Organizations using Adobe Flash Player face significant risk from CVE-2015-8651, a integer overflow vulnerability rated CVSS 8.8. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2015-8651

HIGH

2015-12-28 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:15 cisa

CISA KEV

Patch Released

Oct 22, 2025 - 00:15 nvd

Patch available

CVE Published

Dec 28, 2015 - 23:59 nvd

HIGH 8.8

Description

Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.

Analysis

Adobe Flash Player contains an integer overflow vulnerability that allows remote code execution, exploited in the wild in December 2015, one of the last major Flash zero-days before the industry began phasing out the plugin.

Technical Context

The CWE-190 integer overflow occurs in Flash Player's internal memory allocation routines. By triggering an integer wraparound during buffer size calculation, the attacker causes a smaller-than-expected buffer to be allocated, which is subsequently overwritten with attacker-controlled data.

Affected Products

['Adobe Flash Player before 18.0.0.324 (Windows/OS X)', 'Adobe Flash Player 19.x/20.x before 20.0.0.267 (Windows/OS X)', 'Adobe Flash Player before 11.2.202.559 (Linux)', 'Adobe AIR before 20.0.0.233', 'Adobe AIR SDK before 20.0.0.233']

Remediation

Flash Player is end-of-life. Remove all Flash installations completely. No modern browser supports Flash content.

Priority Score

193

Low Medium High Critical

KEV: +50

EPSS: +89.0

CVSS: +44

POC: 0

CVE-2015-8651 vulnerability details – vuln.today

Back

CVE-2015-8651

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2015-8651

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code