VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2015· Updated May 6, 2026

CVE-2015-3077

CVE-2015-3077

Description

Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3084 and CVE-2015-3086.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player type confusion vulnerability allows arbitrary code execution in versions prior to 17.0.0.188 (Windows/OS X) and 11.2.202.460 (Linux).

Vulnerability

CVE-2015-3077 is a type confusion vulnerability in Adobe Flash Player that allows attackers to execute arbitrary code. The flaw affects Flash Player versions before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X, and versions before 11.2.202.460 on Linux. Additionally, Adobe AIR versions before 17.0.0.172, AIR SDK before 17.0.0.172, and AIR SDK & Compiler before 17.0.0.172 are affected. The vulnerability is triggered when Flash Player does not properly handle object types during memory operations [1][2].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious SWF file and deliver it to the victim through a web page, email attachment, or other means. The victim must open the SWF file using an affected Flash Player version. No authentication or additional privileges are required; the attacker only needs to convince the user to interact with the malicious content [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the user running Flash Player. This can lead to full system compromise, including data theft, installation of malware, or further network traversal. The impact is rated as critical due to the potential for remote code execution without user interaction beyond opening the file [1][2].

Mitigation

Adobe has released patched versions: Flash Player 17.0.0.188 (Windows/OS X) and 11.2.202.460 (Linux), and AIR 17.0.0.172. Users should update immediately. Red Hat issued RHSA-2015:1005 for affected RHEL packages [1], and Gentoo provided GLSA 201505-02 [2]. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1005.html
  2. Multiple vulnerabilities (GLSA 201505-02) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

26
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Air Sdk \& Compiler2 versions
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Flashplayer17 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.475
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
  • Adobe Inc./Flash Playerllm-fuzzy
    Range: <17.0.0.188 (Windows/OS X), <11.2.202.460 (Linux)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.460-83.1+ 1 more
    • (no CPE)range: < 11.2.202.460-83.1
    • (no CPE)range: < 11.2.202.460-83.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.