CVE-2015-5123

ENISA EUVD: EUVD-2015-5138 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 1 article Published: 2015-07-14

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

41.0%

probability

This CVE has a 41.0% probability of being exploited in the next 30 days.

0% Top 97.4th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

10.0

HIGH

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Description

VulnerabilityLookup (CNA)

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Affected Products

n/a

redhat

enterprise linux desktop

redhat

enterprise linux server

redhat

enterprise linux server eus

redhat

enterprise linux workstation

opensuse

evergreen

n/a

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Discovered

July 5, 2015

Patched

July 14, 2015

Reported by

Peter Pi of TrendMicro and slipstream/RoL (@TheWack0lian)

Root Cause Analysis

???

http://www.securitytracker.com/id/1032890

vdb-entry x_refsource_SECTRACK

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00028.html

vendor-advisory x_refsource_SUSE

http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/

x_refsource_MISC

http://marc.info/?l=bugtraq&m=144050155601375&w=2

vendor-advisory x_refsource_HP

http://www.us-cert.gov/ncas/alerts/TA15-195A

third-party-advisory x_refsource_CERT

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

x_refsource_CONFIRM

Signal Intelligence

Confidenceⓘ

95%

EPSS 41.0%

CVSS v3.1 7.8

Mentions 1

Last Seen Jul 07, 2015

CNA Information

CNA Assigner

adobe

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026

Published DateJul 14, 2015