CVE-2015-0328

Vulnerability

Adobe Flash Player before version 13.0.0.269, versions 14.x through 16.x before 16.0.0.305 on Windows and macOS, and versions before 11.2.202.442 on Linux, is affected by a NULL pointer dereference vulnerability [2]. The issue can be triggered via unknown vectors, suggesting it may involve crafted Flash content (SWF files) that causes the player to access a NULL memory pointer [2].

Exploitation

An attacker would need to deliver a specially crafted Flash file (SWF) to the target, typically through a web page or email attachment. No special authentication is required; the victim must load the malicious content in a web browser or application that uses the vulnerable Flash Player [2]. The exact trigger is undisclosed, but the NULL pointer dereference occurs when the player processes the malicious input [1].

Impact

Successful exploitation could lead to a denial of service (DoS) via application crash due to the NULL pointer dereference [2]. The description also notes “possibly have unspecified other impact,” which may include arbitrary code execution, though this is not confirmed [2]. The attacker gains no direct privilege escalation, but a crash can disrupt services or user activity [1].

Mitigation

Adobe released fixed versions: 13.0.0.269, 16.0.0.305 on Windows and macOS, and 11.2.202.442 on Linux [2]. Users should update Flash Player to these versions or later. Red Hat released updated packages for Red Hat Enterprise Linux (e.g., flash-plugin-11.2.202.442-1.el6) [2]. Gentoo users can upgrade to >=www-plugins/adobe-flash-11.2.202.442 [3]. Microsoft issued updates for Flash bundled in Internet Explorer and Edge [1]. No workaround is available if patching is not possible [3].