Search
On this page ▾
CVE-2015-5119 — Adobe Flash Player Use-After-Free Vulnerability

CVE-2015-5119

Adobe Flash Player — UAF in AS3 ByteArray Class Zero-Day Exposed by Hacking Team Breach; Immediately Weaponized by All Major Exploit Kits; Emergency APSB15-16 (July 2015)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-5119 is the first and most significant of three Flash zero-days exposed by the July 2015 Hacking Team breach. The vulnerability is a use-after-free in Flash's ActionScript 3 ByteArray class that enables unauthenticated remote code execution. When Hacking Team's internal exploit repository was published online on July 5, 2015, security researchers and exploit kit operators identified CVE-2015-5119 within hours. By July 6 — before Adobe had released a patch — all four major exploit kits (Angler, Nuclear, Magnitude, Neutrino) had integrated weaponized versions of the exploit. Adobe released an emergency out-of-band patch APSB15-16 on July 8, 2015, just three days after the breach.

Affected Versions

Flash Player Platform Status
≤ 18.0.0.203 Windows / Mac Vulnerable
≤ 13.0.0.296 Windows / Mac (extended support) Vulnerable
≤ 11.2.202.468 Linux Vulnerable
18.0.0.209 Windows / Mac Fixed (APSB15-16)
13.0.0.302 Windows / Mac (extended support) Fixed (APSB15-16)
11.2.202.481 Linux Fixed (APSB15-16)
All versions All EOL — no further patches

Technical Details

Root Cause: Use-After-Free in AS3 ByteArray

CVE-2015-5119 is a use-after-free (CWE-416) vulnerability in Flash's ActionScript 3 runtime, specifically in the ByteArray class. The ByteArray class is a fundamental ActionScript data type providing a byte-level data buffer for reading, writing, and manipulating binary data.

The use-after-free occurs when:

  1. A ByteArray object is freed (garbage collected or explicitly deleted) in Flash's memory manager
  2. ActionScript code continues to hold and use a reference to the freed object
  3. The freed memory region is reallocated for a different purpose
  4. Subsequent operations on the stale ByteArray reference interact with the repurposed memory

This enables a standard Flash UAF exploitation technique:

  1. Heap spray — fill Flash's heap with attacker-controlled objects at predictable addresses
  2. Trigger UAF — free the ByteArray and immediately allocate a controlled object in its place
  3. Type confusion — the stale ByteArray pointer now points to the controlled object; treating attacker data as a ByteArray gives arbitrary read/write of Flash heap memory
  4. ASLR bypass and code execution — use heap read/write primitives to locate code and redirect execution

The Hacking Team Connection

Hacking Team was an Italian surveillance software company that sold offensive capabilities (the "Remote Control System" implant) to government law enforcement and intelligence agencies. Their exploit arsenal included zero-days purchased from independent researchers. The July 5, 2015 breach exposed Hacking Team's entire exploit inventory — including CVE-2015-5119, CVE-2015-5122 (DisplayObject UAF), and CVE-2015-5123 (BitmapData UAF), all Flash zero-days that had never been publicly disclosed.

The three-day window between the breach and Adobe's patch represents the most compressed and impactful Flash zero-day exploitation window of 2015.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (Flash auto-executes)
Zero-Day Window 3 days (July 5–8, 2015)
Exploit Kits Angler, Nuclear, Magnitude, Neutrino (all integrated within 24 hours)
Origin Hacking Team breach

Discovery

CVE-2015-5119 was not independently discovered — it was exposed when Hacking Team's internal exploit code was published by the breach actor on July 5, 2015. Security researchers including Kafeine, Malwarebytes, and Trend Micro analyzed the leaked code and confirmed active exploitation before Adobe released APSB15-16.

Exploitation Context

  • Hacking Team breach impact: The simultaneous public release of three Flash zero-days was unprecedented; exploit kit operators had working code to study before Adobe knew the vulnerabilities were public, creating an unavoidable exploitation gap
  • Immediate exploit kit adoption: The speed of exploit kit integration — within 24 hours — demonstrated the professionalization of the exploit kit economy and the established infrastructure for rapidly weaponizing published PoC code
  • Mass exploitation window: During the 3 days between breach and patch, Angler and other kits served CVE-2015-5119 exploits via malvertising to millions of users on mainstream websites; ransomware (CryptoWall, TeslaCrypt) was the primary payload
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; all known Flash vulnerabilities including CVE-2015-5119 remain permanently unpatched for any remaining Flash installations
  • CISA KEV (2022): Added March 2022

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life with no further security updates.

  2. Migrate Flash-dependent applications — identify remaining Flash content (internal apps, kiosks, ICS HMIs) and migrate to HTML5 or another supported technology.

  3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

  4. Browser controls — all modern browsers have removed Flash support. IE11 with Flash (if still present) should be upgraded to Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2015-5119
Vendor / Product Adobe — Flash Player
NVD Published2015-07-08
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-416 — Use After Free find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-07-05Hacking Team breach: 400GB of internal data published online, including exploit code for CVE-2015-5119 Flash UAF ByteArray zero-day
2015-07-06Security researchers identify CVE-2015-5119 in leaked Hacking Team exploit code; exploit immediately integrated into Angler, Nuclear, Magnitude, and Neutrino exploit kits
2015-07-08Adobe releases emergency out-of-band APSB15-16 patching CVE-2015-5119 in Flash Player 18.0.0.209
2015-07-08CVE-2015-5119 published by NVD
2020-12-31Adobe Flash Player reaches end-of-life
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-5119 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-16 — Security Update for Adobe Flash Player Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML