Vulnerability Description
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Adobe | Flash Player | >= 13.0.0.182, <= 13.0.0296 |
| Apple | Mac Os X | - |
| Microsoft | Windows | - |
| Linux | Linux Kernel | - |
| Redhat | Enterprise Linux Desktop | 5.0 |
| Redhat | Enterprise Linux Eus | 6.6 |
| Redhat | Enterprise Linux Server | 5.0 |
| Redhat | Enterprise Linux Server Aus | 6.6 |
| Redhat | Enterprise Linux Server From Rhui | 5.0 |
| Redhat | Enterprise Linux Workstation | 5.0 |
| Opensuse | Evergreen | 11.4 |
| Opensuse | Opensuse | 13.1 |
| Suse | Linux Enterprise Desktop | 11 |
| Suse | Linux Enterprise Workstation Extension | 12 |
Related Weaknesses (CWE)
References
- http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-playeBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.htmlMailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-1214.htmlThird Party Advisory
- http://twitter.com/w3bd3vil/statuses/618168863708962816Broken Link
- http://www.kb.cert.org/vuls/id/561288Third Party AdvisoryUS Government Resource
- http://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_Third Party Advisory
- http://www.securityfocus.com/bid/75568Broken LinkThird Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1032809Broken LinkThird Party AdvisoryVDB Entry
- http://www.us-cert.gov/ncas/alerts/TA15-195AThird Party AdvisoryUS Government Resource
- https://helpx.adobe.com/security/products/flash-player/apsa15-03.htmlBroken LinkPatchVendor Advisory
- https://helpx.adobe.com/security/products/flash-player/apsb15-16.htmlBroken LinkPatchVendor Advisory
- https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-AfExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2015-5119?
CVE-2015-5119 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x th...
How severe is CVE-2015-5119?
CVE-2015-5119 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-5119?
Check the references section above for vendor advisories and patch information. Affected products include: Adobe Flash Player, Apple Mac Os X, Microsoft Windows, Linux Linux Kernel, Redhat Enterprise Linux Desktop.