CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2015-5122

CVSS 9.8v3.1pub. 2015-07-14upd. 2026-04-21

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Adobe Flash Player

    APP
    Adobe
    13.0 – 13.0.0.30218.0 – 18.0.0.20318.0 – 18.0.0.20411.0 – 11.2.202.481
  • Adobe Flash Player Desktop Runtime

    APP
    Adobe
    18.0 – 18.0.0.203
  • Apple macOS

    OS
    Apple
    wszystkie wersje
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
  • Microsoft Windows 8

    OS
    Microsoft
    wszystkie wersje
  • Microsoft Windows 8.1

    OS
    Microsoft
    wszystkie wersje
  • Opensuse Evergreen

    OS
    Opensuse
    11.4
  • Red Hat Enterprise Linux Desktop

    OS
    Redhat
    5.06.0
  • Red Hat Enterprise Linux Server

    OS
    Redhat
    5.06.0
  • Red Hat Enterprise Linux Server Eus

    OS
    Redhat
    6.6
  • Red Hat Enterprise Linux Workstation

    OS
    Redhat
    5.06.0
  • SUSE Linux Enterprise Desktop

    OS
    Suse
    1112
  • SUSE Linux Enterprise Workstation Extension

    OS
    Suse
    12

CISA KEV — detailsi

Vendori
Adobe
Producti
Flash Player
Added to KEVi
April 13, 2022
Remediation deadline (US Federal)i
May 4, 2022(overdue)
Required action (CISA)i

The impacted product is end-of-life and should be disconnected if still in use.

CISA descriptioni

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service (DoS).

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 maja 2022
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP