Unrated severityNVD Advisory· Published Aug 14, 2015· Updated May 6, 2026

CVE-2015-5541

Description

Heap-based buffer overflow in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5129.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in Adobe Flash Player before 18.0.0.232/11.2.202.508 allows remote code execution via unspecified vectors.

Vulnerability

A heap-based buffer overflow vulnerability exists in Adobe Flash Player before 18.0.0.232 on Windows and OS X, before 11.2.202.508 on Linux, and in Adobe AIR before 18.0.0.199 (including SDK and SDK & Compiler). The flaw can be triggered through unspecified vectors, allowing an attacker to corrupt memory and potentially execute arbitrary code. This is distinct from CVE-2015-5129 [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash file (SWF) or visit a web page containing malicious Flash content. No authentication is required, and the attack can be delivered remotely via a browser or any application that embeds Flash Player. The user interaction is limited to simply viewing or interacting with the malicious content [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected process. This can lead to full system compromise, including installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights. The impact is rated as critical with a CVSS score not fully specified but typically 9.3 or higher for such Flash vulnerabilities [1][2].

Mitigation

Adobe has released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux); AIR 18.0.0.199. Users should update immediately. Red Hat and Gentoo have shipped updates for their distributions. There is no known workaround; disabling Flash Player is the only alternative [1][2].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: before 18.0.0.199
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: before 18.0.0.199
Adobe Inc./Air Sdk \& Compiler2 versions
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: before 18.0.0.199
Adobe Inc./Flashplayer2 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.491
- (no CPE)range: before 18.0.0.232 on Windows/OS X; before 11.2.202.508 on Linux
osv-coords4 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000