Unrated severityNVD Advisory· Published Jul 9, 2015· Updated May 6, 2026

CVE-2015-3120

Description

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3121, CVE-2015-3122, and CVE-2015-4433.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player type confusion vulnerability allows remote code execution on Windows, OS X, and Linux via specially crafted SWF content.

Vulnerability

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux, along with Adobe AIR before 18.0.0.180 and related SDKs, contain an unspecified type confusion vulnerability [1][2]. This flaw allows arbitrary code execution when a user visits a web page serving malicious SWF content, requiring no special configuration beyond having Flash Player or AIR installed.

Exploitation

An attacker must host or inject a crafted SWF file, then convince the victim to open the malicious page in a browser with a vulnerable Flash Player instance [1][2]. No authentication, user interaction beyond browsing, or local access is required. The type confusion triggers an unsafe memory access during flash rendering, leading to attacker-controlled memory corruption.

Impact

Successful exploitation lets the attacker execute arbitrary code in the context of the user running Flash Player, gaining full system access to the affected host [2]. This can result in complete compromise of confidentiality, integrity, and availability, including data theft, malware installation, or creation of privileged accounts.

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.203 (Windows/OS X) and 11.2.202.481 (Linux), and AIR 18.0.0.180 [1][2]. Users should update immediately via the Adobe update mechanism or by downloading from the official site. Red Hat and Gentoo security advisories confirm these as the remediation steps [1][2]. No workaround is available.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
Adobe Inc./Air Sdk \& Compiler
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Range: <=18.0.0.144
Adobe Inc./Flashplayer22 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.468
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- (no CPE)range: <13.0.0.302, >=14.0.0.0 <18.0.0.203 (Windows/OS X); <11.2.202.481 (Linux)
osv-coords2 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.481-93.1+ 1 more
- (no CPE)range: < 11.2.202.481-93.1
- (no CPE)range: < 11.2.202.481-93.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb15-16.htmlnvdPatchVendor Advisory
lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2015-1214.htmlnvdThird Party Advisory
www.securityfocus.com/bid/75595nvdThird Party AdvisoryVDB Entry
security.gentoo.org/glsa/201507-13nvdThird Party Advisory
www.securitytracker.com/id/1032810nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000