CVE-2015-0310

What Is Adobe Flash Player?

Adobe Flash Player was a cross-platform browser plugin for rich multimedia content, installed on over 90% of internet-connected computers at peak deployment. Its ubiquity made it the most targeted browser plugin in the 2000s and 2010s. Adobe ended Flash Player support December 31, 2020.

See also related Flash vulnerabilities from this period: CVE-2015-0311 (paired RCE), CVE-2015-0313 (use-after-free zero-day).

Overview

CVE-2015-0310 is an information disclosure vulnerability in Adobe Flash Player that allows attackers to bypass Address Space Layout Randomization (ASLR) by discovering memory addresses within the Flash Player process. Observed in January 2015 being actively exploited by the Angler exploit kit in combination with CVE-2015-0311 — CVE-2015-0310 provided the memory layout needed to make the CVE-2015-0311 RCE reliable. Patched in APSB15-02 (January 22, 2015).

Affected Versions

Technical Details

Root Cause: Flash Memory Address Disclosure Bypasses ASLR

CVE-2015-0310 involves a Flash Player code path that improperly discloses internal memory address information — likely through ActionScript 3 APIs, object property inspection, or Flash's native data handling — in a way that an attacker-controlled SWF can observe. The disclosed addresses correspond to Flash Player modules or heap allocations, allowing the attacker to determine the exact memory layout of the Flash process.

Exploit Chain with CVE-2015-0311

In January 2015, security researchers observed the Angler exploit kit deploying CVE-2015-0310 and CVE-2015-0311 together as a two-component exploit chain:

1. CVE-2015-0310 (ASLR bypass): The malicious SWF first triggers CVE-2015-0310 to learn the Flash memory layout
2. CVE-2015-0311 (RCE): With addresses known, the SWF triggers CVE-2015-0311, now building a reliable ROP chain using the leaked addresses
3. Code execution delivered — the combined chain achieves reliable arbitrary code execution with no memory randomization protection

This paired-exploit technique was the standard approach for Flash drive-by attacks in 2015: ASLR bypass first, then RCE with known addresses.

Attack Characteristics

Discovery

CVE-2015-0310 was identified during analysis of Angler exploit kit traffic by security researchers in January 2015. Its exploitation in the wild, paired with CVE-2015-0311, prompted Adobe to release APSB15-02 on January 22, 2015 — followed five days later by the out-of-band APSB15-03 patch for CVE-2015-0311 as a separate zero-day.

Exploitation Context

• Angler exploit kit: Angler was the most sophisticated exploit kit of the 2015 era, first to weaponize new Flash vulnerabilities; CVE-2015-0310 + CVE-2015-0311 formed a complete drive-by attack chain deployed in malvertising campaigns reaching millions of users
• Malvertising delivery: Malicious Flash ads delivered through legitimate ad networks exposed users of major websites to drive-by exploitation without any compromise of those sites
• Flash EOL legacy: Flash is permanently end-of-life since December 2020; CISA KEV addition in 2022 reflects exploitation against legacy Flash deployments on unmanaged systems
• CISA KEV (2022): Added May 2022

Remediation

1. Remove Flash Player — uninstall from all systems. Adobe's uninstaller is available, and Microsoft distributed KB4577586 to remove Flash via Windows Update.

2. Migrate Flash-dependent applications — identify remaining Flash dependencies and migrate to HTML5 or another supported technology.

3. Block Flash at the network/browser level — all modern browsers have removed Flash support. Legacy IE11 can block Flash via Group Policy.

4. Network isolation — if Flash-dependent systems cannot be decommissioned immediately, isolate them from internet access to prevent drive-by delivery of malicious SWF files.