VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2015· Updated May 6, 2026

CVE-2015-3084

CVE-2015-3084

Description

Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3077 and CVE-2015-3086.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player type confusion allows remote code execution via crafted content.

Vulnerability

A type confusion vulnerability exists in Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X, and before 11.2.202.460 on Linux, as well as in Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 [1][2]. The issue arises from an unspecified type confusion that can be exploited to corrupt memory.

Exploitation

An attacker can host a specially crafted SWF file and trick a user into viewing it, typically via a malicious website or email. No special network position or authentication is required; the attacker needs only to deliver the content and the user to interact with it (e.g., clicking a link or opening a file). Once the Flash content is rendered, the type confusion is triggered.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the affected user's system. This can lead to full compromise of the system, including data theft, installation of malware, or further escalation of privileges.

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.289 / 17.0.0.188 (Windows and OS X), Flash Player 11.2.202.460 (Linux), and AIR 17.0.0.172, AIR SDK 17.0.0.172, and AIR SDK & Compiler 17.0.0.172 [1]. Users should upgrade to these versions immediately. Red Hat and Gentoo advisories also recommend updating to the latest versions [1][2]. No workaround is available [2].

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1005.html
  2. Multiple vulnerabilities (GLSA 201505-02) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

25
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: < 17.0.0.172
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: < 17.0.0.172
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=17.0.0.144
  • Adobe Inc./Flashplayer17 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.475
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
  • GNU/Flash Playerllm-fuzzy
    Range: < 13.0.0.289 (Windows/OS X Linux 11.2.202.460) / < 17.0.0.188 (14.x-17.x)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.460-83.1+ 1 more
    • (no CPE)range: < 11.2.202.460-83.1
    • (no CPE)range: < 11.2.202.460-83.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.