VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2015· Updated May 6, 2026

CVE-2015-3086

CVE-2015-3086

Description

Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3077 and CVE-2015-3084.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player type confusion vulnerability before patched versions allows remote code execution via crafted SWF content.

Vulnerability

A type confusion vulnerability exists in Adobe Flash Player before 13.0.0.289, 14.x through 17.x before 17.0.0.188 on Windows and OS X, and before 11.2.202.460 on Linux; Adobe AIR before 17.0.0.172; Adobe AIR SDK before 17.0.0.172; and Adobe AIR SDK & Compiler before 17.0.0.172. This unspecified type confusion [1] allows attackers to execute arbitrary code by leveraging the flaw when processing specially crafted SWF content.

Exploitation

An attacker can exploit this vulnerability by convincing a user to visit a webpage or open a file containing malicious SWF content. No additional authentication or user interaction beyond loading the crafted content is required. The attacker does not need local access and can trigger the exploit remotely via the web or email attachments.

Impact

Successful exploitation leads to arbitrary code execution in the context of the affected Flash Player or AIR process. The attacker can gain full control of the affected system, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights.

Mitigation

Adobe released fixed versions on 2015-05-12: Flash Player 13.0.0.289, 17.0.0.188 (Windows/OS X), 11.2.202.460 (Linux); AIR 17.0.0.172; AIR SDK 17.0.0.172; and AIR SDK & Compiler 17.0.0.172 [1]. Linux users via Gentoo can upgrade to www-plugins/adobe-flash-11.2.202.460 [2]. Red Hat Enterprise Linux users received RHSA-2015:1005 [1]. No workaround is available aside from updating.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1005.html
  2. Multiple vulnerabilities (GLSA 201505-02) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

25
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=17.0.0.144
  • Adobe Inc./Flashplayer17 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.264
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
  • GNU/Flash Playerllm-fuzzy
    Range: <17.0.0.188 (Windows/OS X), <11.2.202.460 (Linux), <13.0.0.289 (older branches)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.460-83.1+ 1 more
    • (no CPE)range: < 11.2.202.460-83.1
    • (no CPE)range: < 11.2.202.460-83.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.