CVE-2015-5129
Description
Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5541.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 allows remote code execution via unspecified vectors.
Vulnerability
Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X, and prior to 11.2.202.508 on Linux, along with Adobe AIR versions before 18.0.0.199, contain a heap-based buffer overflow vulnerability [1][2]. The flaw is triggered by unspecified vectors, likely involving malformed SWF content, and is distinct from CVE-2015-5541 [1].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a crafted Flash file (e.g., via a malicious web page or email attachment). No authentication or special network position is required, as the attack can be mounted remotely. The undefined nature of the vectors suggests a memory corruption path that is reachable without user interaction beyond loading the content [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the affected Flash Player or AIR process, potentially leading to full system compromise [1][2]. The vulnerability could also be used to cause a denial of service or bypass security restrictions [2].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199 [1][2]. Red Hat and Gentoo have provided updated packages [1][2]. Users should upgrade immediately; there is no known workaround [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
- Range: <18.0.0.232 (Windows/OS X) and <11.2.202.508 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/76282nvdThird Party AdvisoryVDB Entry
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
News mentions
0No linked articles in our index yet.