Unrated severityNVD Advisory· Published Feb 6, 2015· Updated May 6, 2026

CVE-2015-0323

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0327.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player before 13.0.0.269 and 16.x before 16.0.0.305 on Windows/OS X, and before 11.2.202.442 on Linux, is vulnerable to a heap-based buffer overflow that allows arbitrary code execution via unspecified vectors.

Vulnerability

A heap-based buffer overflow vulnerability exists in Adobe Flash Player versions before 13.0.0.269, 14.x through 16.x before 16.0.0.305 on Windows and OS X, and before 11.2.202.442 on Linux. The flaw can be triggered by unspecified vectors, allowing an attacker to corrupt heap memory [1][2][3].

Exploitation

An attacker can exploit the vulnerability by convincing a user to open a specially crafted SWF file or visit a malicious web page that hosts the crafted content. No authentication is required, and the user interaction is limited to typical browsing or file opening actions. The exact exploitation steps are not detailed in the references, but the vector is remote [1][2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the affected Flash Player process. This can lead to full system compromise, including data disclosure, installation of malware, or further lateral movement within the victim's network. The vulnerability is rated as critical with a CVSS v2 score of 10.0 [1][2].

Mitigation

Adobe released Flash Player versions 13.0.0.269, 16.0.0.305, and 11.2.202.442 that fix this issue. Platform-specific updates are available from Adobe, and Microsoft and Red Hat also released security updates for affected distributions [1][2]. Gentoo recommends upgrading to >=www-plugins/adobe-flash-11.2.202.442 [3]. Users should apply the updates immediately; no workaround is available [1][2][3].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Flashplayer15 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.264
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
Adobe Inc./Flash Playerllm-fuzzy
Range: before 13.0.0.269, 14.x-16.x before 16.0.0.305, before 11.2.202.442
osv-coords2 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.442-67.1+ 1 more
- (no CPE)range: < 11.2.202.442-67.1
- (no CPE)range: < 11.2.202.442-67.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000