Skip to main content

Adobe Flash Player CVE-2015-8651

HIGH
Integer Overflow or Wraparound (CWE-190)
2015-12-28 psirt@adobe.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 22, 2026 - 12:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Added to CISA KEV
Oct 22, 2025 - 00:15 cisa
CISA KEV
Patch released
Oct 22, 2025 - 00:15 nvd
Patch available
CVE Published
Dec 28, 2015 - 23:59 nvd
HIGH 8.8

DescriptionCVE.org

Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.

AnalysisAI

Remote code execution in Adobe Flash Player allows network attackers to execute arbitrary code via integer overflow exploitation. Confirmed actively exploited (CISA KEV) with 88.97% EPSS score indicating extremely high real-world exploitation probability. Affects Flash Player before 18.0.0.324/20.0.0.267, Adobe AIR before 20.0.0.233, and associated SDKs across Windows, OS X, and Linux platforms. Vendor-released patches available since December 2015.

Technical ContextAI

This vulnerability stems from an integer overflow (CWE-190) in Adobe Flash Player's ActionScript Virtual Machine (AVM2) runtime engine. Integer overflows occur when arithmetic operations produce values exceeding the maximum size of the integer type, causing wraparound to small or negative values. In Flash Player, this typically manifests during memory allocation calculations where an overflowed size value leads to undersized buffer allocation. Subsequent operations writing expected amounts of data into the undersized buffer trigger heap corruption, enabling attackers to achieve memory manipulation and ultimately arbitrary code execution. The vulnerability affects the core Flash Player runtime across all major desktop platforms, plus the AIR runtime environment used for standalone Flash applications and the corresponding SDKs used by developers.

RemediationAI

Immediately upgrade to Adobe Flash Player 18.0.0.324 or later for older branches, 20.0.0.267 or later for current branches on Windows/OS X, or 11.2.202.559 or later on Linux. Upgrade Adobe AIR runtime and all SDKs to version 20.0.0.233 or later per APSB16-01. For Red Hat Enterprise Linux environments, apply RHSA-2015-2697 via yum/dnf package managers. Organizations unable to patch immediately should disable Flash Player browser plugins, implement browser-based Flash click-to-play restrictions, and block Flash content at web proxies until patching completes. Note that disabling Flash will break legacy web applications dependent on Flash functionality-catalog these dependencies before implementing controls. Long-term, migrate all Flash-dependent applications to HTML5 or modern alternatives, as Adobe ended Flash Player support in December 2020.

More in Adobe

View all
CVE-2015-5119 CRITICAL POC
9.8 Jul 08

Remote code execution in Adobe Flash Player 11.x through 18.x allows unauthenticated network attackers to execute arbitr

CVE-2016-4117 CRITICAL POC
9.8 May 11

Remote code execution in Adobe Flash Player 21.0.0.226 and earlier allows unauthenticated network attackers to execute a

CVE-2015-3113 CRITICAL POC
9.8 Jun 23

Adobe Flash Player contains a heap-based buffer overflow that allows remote code execution, exploited as a zero-day in J

CVE-2011-2462 CRITICAL POC
9.8 Dec 07

Adobe Reader and Acrobat contain an unspecified U3D component vulnerability causing memory corruption that allows remote

CVE-2011-0611 HIGH POC
8.8 Apr 13

Adobe Flash Player contains a type confusion vulnerability in object handling that allows remote attackers to execute ar

CVE-2009-0927 HIGH POC
8.8 Mar 19

Adobe Reader and Acrobat 9.x, 8.x, and 7.x contain a stack-based buffer overflow in the getIcon method of the Collab obj

CVE-2009-4324 HIGH POC
7.8 Dec 15

Adobe Reader and Acrobat contain a use-after-free vulnerability in the Doc.media.newPlayer JavaScript method that was ac

CVE-2011-0609 HIGH POC
7.8 Mar 15

Adobe Flash Player 10.2 and earlier across all platforms contain an unspecified vulnerability allowing remote code execu

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2025-54236 CRITICAL POC
9.1 Sep 09

Session hijacking in Adobe Commerce (Magento) 2.4.x through 2.4.9-alpha2 allows remote unauthenticated attackers to take

CVE-2025-54253 CRITICAL POC
10.0 Aug 05

Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated r

CVE-2015-2387 HIGH
7.8 Jul 14

The Adobe Type Manager Font Driver (ATMFD.DLL) in Windows contains a memory corruption vulnerability that allows local p

Share

CVE-2015-8651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy