CVE-2015-3093
Description
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3090.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player memory corruption in DefineBitsLossless tags allows arbitrary code execution via crafted SWF.
Vulnerability
A memory corruption vulnerability exists in Adobe Flash Player versions before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X, and before 11.2.202.460 on Linux, as well as in Adobe AIR before 17.0.0.172. The flaw resides in the handling of DefineBitsLossless and DefineBitsLossless2 tags [2]. When processing malformed compressed bitmap data, the zlib decompression routine may fail, but the return value is not properly checked, leaving an allocated buffer uninitialized. This memory can later be used in rendering [2].
Exploitation
An attacker does not require any special network position beyond the ability to deliver a crafted SWF file to the target, typically via a web page or email. The victim must open the malicious SWF in a vulnerable Flash Player instance. The attacker crafts a SWF containing a corrupted DefineBitsLossless or DefineBitsLossless2 tag, causing the player to use uninitialized heap memory [2]. The attacker can control the pattern of uninitialized data to achieve memory corruption [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the Flash Player process, leading to potential full compromise of the affected system. Alternatively, a denial of service via crash can be achieved [1][3]. The vulnerability can also lead to information disclosure as uninitialized memory may contain sensitive data [2].
Mitigation
Adobe released fixed versions: Flash Player 17.0.0.188 (Windows/OS X) and 11.2.202.460 (Linux), and AIR 17.0.0.172 [1]. Red Hat issued RHSA-2015:1005 for affected Linux distributions [1]. Gentoo users should update to >=www-plugins/adobe-flash-11.2.202.460 [3]. No workaround is available, and systems that cannot be patched should consider removing or disabling Flash Player [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
- (no CPE)range: < 17.0.0.172
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.144
- (no CPE)range: < 17.0.0.172
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=17.0.0.144
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.475
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- Range: < 13.0.0.289 (Windows/OSX), < 17.0.0.188 (Windows/OSX 14-17.x), < 11.2.202.460 (Linux)
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.460-83.1+ 1 more
- (no CPE)range: < 11.2.202.460-83.1
- (no CPE)range: < 11.2.202.460-83.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-09.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-05/msg00007.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-05/msg00010.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-05/msg00016.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1005.htmlnvd
- www.securityfocus.com/bid/74605nvd
- www.securitytracker.com/id/1032285nvd
- security.gentoo.org/glsa/201505-02nvd
- www.exploit-db.com/exploits/37846/nvd
News mentions
0No linked articles in our index yet.