Unrated severityNVD Advisory· Published Jun 10, 2015· Updated May 6, 2026

CVE-2015-3101

Description

The Flash broker in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, when Internet Explorer is used, allows attackers to perform a transition from Low Integrity to Medium Integrity via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player before 13.0.0.292 and 14.x–18.x before 18.0.0.160 on Windows/OS X (and before 11.2.202.466 on Linux) let attackers escalate from Low to Medium integrity when used with Internet Explorer.

Vulnerability

The Flash broker in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X, and before 11.2.202.466 on Linux, contains an unspecified flaw that allows a transition from Low Integrity to Medium Integrity. The affected products also include Adobe AIR before 18.0.0.144 (Windows) / 18.0.0.143 (OS X, Android), and AIR SDK/SDK & Compiler before the corresponding versions. The issue is triggered specifically when Internet Explorer is used [1].

Exploitation

An attacker must have the ability to run untrusted Flash content in Internet Explorer on a system where Flash Player is at a Low integrity level. The exploitation vector is not further detailed in the available references, but the vulnerability enables a bypass of integrity-level security mechanisms without requiring user interaction beyond loading the malicious content [1].

Impact

Successful exploitation allows an attacker to escalate privileges from Low Integrity to Medium Integrity. This elevation can enable further attacks, such as bypassing security restrictions or achieving arbitrary code execution with the privileges of the current process, as noted by the Gentoo advisory [1].

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.292, 18.0.0.160 (Windows/OS X), and 11.2.202.466 (Linux); AIR 18.0.0.144 (Windows) / 18.0.0.143 (OS X, Android); and AIR SDK/SDK & Compiler corresponding updates. The Gentoo advisory recommends upgrading to >=www-plugins/adobe-flash-11.2.202.466 [1]. No workaround is known. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References

Multiple vulnerabilities (GLSA 201506-01) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
- (no CPE)range: <18.0.0.144 on Windows; <18.0.0.143 on OS X and Android
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.172
- (no CPE)range: <18.0.0.144 on Windows; <18.0.0.143 on OS X
Adobe Inc./Air Sdk \& Compiler
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Range: <=17.0.0.172
Adobe Inc./Flashplayer18 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
Google/Android
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
Adobe Inc./Adobe Flash Playerllm-create
Range: <18.0.0.160 on Windows/OS X; <11.2.202.466 on Linux

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb15-11.htmlnvdPatchVendor Advisory
www.securityfocus.com/bid/75089nvd
www.securitytracker.com/id/1032519nvd
security.gentoo.org/glsa/201506-01nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000