Unrated severityNVD Advisory· Published Jul 20, 2015· Updated May 6, 2026

CVE-2015-5124

Description

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player and AIR before patched versions allow remote code execution or denial of service via memory corruption.

Vulnerability

A memory corruption vulnerability exists in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, before 11.2.202.481 on Linux, and in Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180. The flaw is triggered by unspecified vectors, meaning an attacker can craft a malicious SWF file that, when loaded by a vulnerable Flash Player instance, causes memory corruption.

Exploitation

An attacker can exploit this vulnerability by hosting a malicious SWF file on a website or injecting it into a compromised advertisement network. The victim must visit the crafted page using a browser with an affected Flash Player version. No authentication or user interaction beyond normal browsing is required.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the current user (full compromise of the browser and possibly the system) or cause a denial of service (crash). The attacker gains the ability to read, modify, or exfiltrate sensitive data, install malware, or take other malicious actions on the victim's machine.

Mitigation

Adobe released fixed versions Flash Player 18.0.0.203 (Windows/OS X), 11.2.202.481 (Linux), and AIR 18.0.0.180 on July 14, 2015 [1][2]. Red Hat and Gentoo also released updated packages [1][2]. Users should update to the latest version or disable Flash Player if updating is not possible. No workaround exists apart from updating.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
Adobe Inc./Air Sdk \& Compiler2 versions
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
Adobe Inc./Flashplayer22 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- (no CPE)range: <13.0.0.302 or >=14.0 <18.0.0.203 (Windows/OS X); <11.2.202.481 (Linux)
OpenSUSE/Evergreen
cpe:2.3:o:opensuse:evergreen:11.4:*:*:*:*:*:*:*
osv-coords4 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvdThird Party Advisory
www.securityfocus.com/bid/75959nvdThird Party AdvisoryVDB Entry
helpx.adobe.com/security/products/flash-player/apsb15-16.htmlnvdVendor Advisory
rhn.redhat.com/errata/RHSA-2015-1214.htmlnvd
www.securitytracker.com/id/1032810nvd
security.gentoo.org/glsa/201508-01nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000