CVE-2015-5119

ENISA EUVD: EUVD-2015-5134 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 4 articles Published: 2015-07-08

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

93.2%

probability

This CVE has a 93.2% probability of being exploited in the next 30 days.

0% Top 99.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

10.0

HIGH

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Description

VulnerabilityLookup (CNA)

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Affected Products

n/a

n/a

adobe

flash player

redhat

enterprise linux desktop

redhat

enterprise linux eus

redhat

enterprise linux server

redhat

enterprise linux server aus

n/a

n/a

n/a

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Discovered

July 5, 2015

Patched

July 8, 2015

Reported by

Google Project Zero and Morgan Marquis-Boire

Root Cause Analysis

???

Exploits & PoC

CiscoCXSecurity/CVE-2015-5119_walkthrough

Archive from the article CVE-2015-5119 Flash ByteArray UaF: A beginner's walkthrough

12 2015-09-10

jvazquez-r7/CVE-2015-5119

11 2015-08-04

dangokyo/CVE-2015-5119

3 2018-08-21

3 repos — triés par ⭐ Rechercher sur GitHub ↗

http://www.securitytracker.com/id/1032809

vdb-entry x_refsource_SECTRACK

http://www.securityfocus.com/bid/75568

vdb-entry x_refsource_BID

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html

vendor-advisory x_refsource_SUSE

http://www.us-cert.gov/ncas/alerts/TA15-195A

third-party-advisory x_refsource_CERT

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html

vendor-advisory x_refsource_SUSE

http://rhn.redhat.com/errata/RHSA-2015-1214.html

vendor-advisory x_refsource_REDHAT

Signal Intelligence

Confidenceⓘ

95%

EPSS 93.2%

CVSS v3.1 7.8

Mentions 4

Last Seen Oct 16, 2017

CNA Information

CNA Assigner

adobe

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Threat Actors 1

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateJul 08, 2015