VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2015· Updated May 6, 2026

CVE-2015-3089

CVE-2015-3089

Description

Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3090, and CVE-2015-3093.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory corruption in Adobe Flash Player via malformed MPD file allows arbitrary code execution or denial of service.

Vulnerability

CVE-2015-3089 is a memory corruption vulnerability in Adobe Flash Player, affecting versions before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X, before 11.2.202.460 on Linux, as well as Adobe AIR before 17.0.0.172 and related SDKs [1][3]. The bug occurs when Flash processes a crafted MPD file, leading to an uninitialized stack variable that corrupts memory [2]. This is one of several similar vulnerabilities disclosed at the same time (CVE-2015-3078, CVE-2015-3090, CVE-2015-3093) [1][3].

Exploitation

An attacker can exploit this vulnerability by hosting a malicious SWF file along with a specially crafted MPD file on a web server [2]. The user must visit the malicious page, typically via a browser. The proof-of-concept uses a compiled ActionScript file with specific Flex flags (-target-player 14.0 -swf-version 25) and loads the MPD file via PlayManifest.swf?file=gen.mpd [2]. No authentication or prior access is required. The crash analysis shows a null pointer dereference due to an uninitialized stack variable, which an attacker could leverage for code execution [2].

Impact

Successful exploitation results in memory corruption, allowing an attacker to execute arbitrary code with the privileges of the user running Flash Player, or cause a denial of service [1][3]. If the user has administrative rights, the attacker could gain full system control. The vulnerability can also lead to information disclosure or security restriction bypass [3].

Mitigation

Adobe released fixed versions on May 12, 2015: Flash Player 13.0.0.289, 17.0.0.188 (Windows/OS X), 11.2.202.460 (Linux), and AIR 17.0.0.172 [1]. Users should update immediately via the Adobe website or automatic update mechanisms. No workarounds are available [3]. Red Hat and Gentoo advisories both recommend upgrading to the patched versions [1][3].

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1005.html
  2. OffSec’s Exploit Database Archive
  3. Multiple vulnerabilities (GLSA 201505-02) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

24
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <17.0.0.172
  • Adobe Inc./Air Sdk
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
    Range: <=17.0.0.144
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=17.0.0.144
  • Adobe Inc./Flashplayer17 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.264
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
  • Adobe Inc./Flash Playerllm-fuzzy
    Range: Windows/OSX < 13.0.0.289 or >=14.x < 17.0.0.188; Linux < 11.2.202.460
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.460-83.1+ 1 more
    • (no CPE)range: < 11.2.202.460-83.1
    • (no CPE)range: < 11.2.202.460-83.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.