CVE-2015-8457
Description
Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8407.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack buffer overflow in Adobe Flash Player's HLS handling allows remote code execution via a crafted page.
Vulnerability
A stack-based buffer overflow exists in Adobe Flash Player's handling of HTTP Live Streaming (HLS). The vulnerability stems from a failure to validate the size of a user-supplied buffer before copying it to a stack buffer [1]. Affected versions include Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X, and before 11.2.202.554 on Linux. Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 are also affected.
Exploitation
Exploitation requires user interaction: the target must visit a malicious web page or open a malicious file [1]. The attacker does not need prior authentication or special network position beyond serving the crafted content. The specific flaw is triggered during HLS stream processing, where a stack buffer is overflowed due to insufficient size validation.
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [1]. This typically results in full compromise of the user's system, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights.
Mitigation
Adobe released fixed versions on December 10, 2015: Flash Player 20.0.0.228 (and 18.0.0.268 for older branches), AIR 20.0.0.204, and corresponding SDK updates. Users should update to these versions immediately. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.261
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- Range: <20.0.0.228
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- helpx.adobe.com/security/products/flash-player/apsb15-32.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/78802nvd
- www.securitytracker.com/id/1034318nvd
- www.zerodayinitiative.com/advisories/ZDI-15-636nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
News mentions
0No linked articles in our index yet.