VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2015· Updated May 6, 2026

CVE-2015-3100

CVE-2015-3100

Description

Stack-based buffer overflow in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X allows attackers to execute arbitrary code via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in Adobe Flash Player before 18.0.0.160 allows arbitrary code execution via unspecified vectors.

Vulnerability

A stack-based buffer overflow vulnerability exists in Adobe Flash Player versions before 13.0.0.292, 14.x through 17.x before 18.0.0.160 on Windows and OS X, and before 11.2.202.466 on Linux. It also affects Adobe AIR and AIR SDK before specified versions. The issue is triggered via unspecified vectors, likely a crafted SWF file or malicious content that overflows a stack buffer.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash (SWF) file or visit a malicious web page hosting the exploit. No authentication is required; the attack can be launched remotely. The exact exploitation steps are not publicly detailed but involve providing input that exceeds the allocated stack buffer size.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected Flash Player process. This can lead to full compromise of the victim’s system, including data theft, installation of malware, or further propagation within a network.

Mitigation

Adobe Flash Player on Windows and OS X should be updated to version 18.0.0.160 or later, and on Linux to version 11.2.202.466 or later. Adobe AIR on Windows should be updated to 18.0.0.144, on OS X and Android to 18.0.0.143. Red Hat and Gentoo have released advisories prompting users to update [1][2]. No workaround is available; users must apply the patched version.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1086.html
  2. Multiple vulnerabilities (GLSA 201506-01) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.172
    • (no CPE)range: <18.0.0.144 on Windows | <18.0.0.143 on OS X and Android
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.172
    • (no CPE)range: <18.0.0.144 on Windows | <18.0.0.143 on OS X
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=17.0.0.172
  • Adobe Inc./Flashplayer19 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 18 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.460
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • (no CPE)range: <13.0.0.292 | >=14.0.0.0 <18.0.0.160 | <11.2.202.466
  • Google/Android
    cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.466-86.1+ 1 more
    • (no CPE)range: < 11.2.202.466-86.1
    • (no CPE)range: < 11.2.202.466-86.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.