Search
On this page ▾
CVE-2015-0313 — Adobe Flash Player Use-After-Free Vulnerability

CVE-2015-0313

Adobe Flash Player — Use-After-Free Zero-Day Exploited via Malvertising Before Patch; Hanjuan/Neutrino Exploit Kits; Out-of-Band APSB15-04
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the dominant cross-platform multimedia browser plugin from the late 1990s through the mid-2010s, installed on over 90% of internet-connected computers. Adobe ended Flash Player support December 31, 2020. January and February 2015 saw an unprecedented succession of Flash zero-days — three distinct zero-days (CVE-2015-0311, CVE-2015-0313, and CVE-2015-5119) were exploited before Adobe could patch them.

See related zero-days from this period: CVE-2015-0311 (January 2015 Angler zero-day), CVE-2015-5119 (July 2015 Hacking Team zero-day).

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-0313 is a use-after-free zero-day in Adobe Flash Player exploited in active malvertising campaigns before Adobe released a patch. Documented by Trend Micro and researcher Kafeine as being deployed by the Hanjuan exploit kit (also called Nan Haishu) less than one week after the previous Flash zero-day (CVE-2015-0311) was patched. Adobe released an out-of-band patch APSB15-04 on February 5, 2015. The exploit required no user interaction — any user visiting a web page with the malicious Flash content was silently compromised.

Affected Versions

Flash Player Platform Status
≤ 16.0.0.305 Windows / Mac Vulnerable
≤ 11.2.202.442 Linux Vulnerable
≥ 16.0.0.305 fixed Windows / Mac Fixed (APSB15-04)
≥ 11.2.202.443 fixed Linux Fixed (APSB15-04)
All versions All EOL — no further patches

Technical Details

Root Cause: Use-After-Free in Flash Player

A use-after-free occurs when Flash Player frees a heap object but retains a pointer to the freed memory, later using that dangling pointer to access the object. If an attacker can control the heap allocation that occupies the freed memory region, the subsequent access reads attacker-controlled data — allowing virtual dispatch table (vtable) pointer replacement, function pointer corruption, or other control flow manipulation.

CVE-2015-0313 involves this class of vulnerability in Flash Player's ActionScript execution engine or object lifecycle management. When processing a specially crafted SWF file, Flash frees an internal object prematurely, then dereferences the stale pointer — at which point the attacker's heap spray has placed controlled data at that location, redirecting execution to attacker-controlled code.

Use-After-Free Exploitation Technique

Use-after-free in Flash Player was the dominant exploitation primitive in 2014–2015:

  1. Trigger the free: Crafted ActionScript or SWF structure causes Flash to free a target object
  2. Occupy the freed memory: Heap grooming / spraying places attacker-controlled data at the freed location
  3. Trigger the use: Flash dereferences the stale pointer, now reading attacker-controlled vtable or function pointer
  4. Code execution: Flash jumps to the attacker-controlled address, executing shellcode or a ROP chain

The Flash Zero-Day Succession

January–February 2015 demonstrated an accelerating cycle of Flash zero-day exploitation:

  • CVE-2015-0311: Exploited by Angler, patched January 27 (APSB15-03)
  • CVE-2015-0313: Exploited by Hanjuan only days later, patched February 5 (APSB15-04)

This pattern illustrated that multiple threat actors held independent Flash zero-days simultaneously — when Adobe patched one group's exploit, another group's remained active.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (auto-executes in Flash)
Exploit Kit Hanjuan/Nan Haishu (February 2015)
Vulnerability Type Use-after-free (CWE-416)

Discovery

Discovered and publicly documented by Trend Micro researchers and Kafeine in early February 2015 during malvertising campaign analysis. The discovery came less than one week after the previous Flash zero-day (CVE-2015-0311) was patched, highlighting the speed at which new Flash zero-days entered active exploitation.

Exploitation Context

  • Hanjuan exploit kit: A Chinese-nexus exploit kit that maintained Flash zero-days and targeted East Asian users; CVE-2015-0313 was observed in Hanjuan campaigns targeting users via compromised ad networks
  • Malvertising delivery: Malicious ads containing the exploit SWF were served through legitimate advertising networks, exposing users of major legitimate websites
  • Flash zero-day succession: CVE-2015-0313 was the second Flash zero-day in two weeks — the January–February 2015 period saw unprecedented Flash zero-day frequency, prompting security professionals to call for Flash's elimination
  • Adobe's out-of-band response: Adobe's rapid 3-day patch turnaround (discovered February 2 → patched February 5) was atypically fast, reflecting recognition of the severity of ongoing mass exploitation
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; any system still running Flash is permanently exposed to CVE-2015-0313 and all other Flash vulnerabilities
  • CISA KEV (2022): Added April 2022

Remediation

CISA BOD 22-01 Deadline: May 4, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows.

  2. Migrate Flash dependencies — any Flash-dependent application is permanently unpatched against this and all other known Flash vulnerabilities; migration to HTML5 is the only durable fix.

  3. Network isolation — Flash-dependent systems that cannot be immediately decommissioned must be isolated from untrusted networks.

  4. Browser controls — modern browsers have removed Flash support entirely; legacy browsers with Flash plugins should be replaced.

Key Details

PropertyValue
CVE ID CVE-2015-0313
Vendor / Product Adobe — Flash Player
NVD Published2015-02-02
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-416 — Use After Free find similar ↗
CISA KEV Added2022-04-13
CISA KEV Deadline2022-05-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-04. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-01-27Adobe releases APSB15-03 (patches CVE-2015-0311 zero-day)
2015-02-01CVE-2015-0313 zero-day discovered in active exploitation via malvertising campaigns
2015-02-02CVE-2015-0313 published by NVD; Trend Micro and Kafeine report active exploitation by Hanjuan exploit kit
2015-02-05Adobe releases out-of-band APSB15-04 patching CVE-2015-0313
2020-12-31Adobe Flash Player reaches end-of-life
2022-04-13Added to CISA Known Exploited Vulnerabilities catalog
2022-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-0313 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-04 — Security Update for Adobe Flash Player (Out-of-Band) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML