Search
On this page ▾
CVE-2015-5122 — Adobe Flash Player Use-After-Free Vulnerability

CVE-2015-5122

Adobe Flash Player — UAF in AS3 DisplayObject Class; Second Hacking Team Breach Zero-Day; Patched APSB15-18 (July 2015)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-5122 is the second Flash zero-day exposed by the July 2015 Hacking Team breach — a use-after-free vulnerability in the ActionScript 3 DisplayObject class. Like CVE-2015-5119 (ByteArray UAF), CVE-2015-5122 was discovered in Hacking Team's leaked exploit repository after the July 5, 2015 breach. Adobe patched it alongside CVE-2015-5123 in APSB15-18 (July 14, 2015). The vulnerability was rapidly integrated into exploit kits following its public exposure, extending the mass exploitation window that began with CVE-2015-5119.

Affected Versions

Flash Player Platform Status
≤ 18.0.0.209 Windows / Mac Vulnerable
≤ 13.0.0.302 Windows / Mac (extended support) Vulnerable
≤ 11.2.202.481 Linux Vulnerable
18.0.0.213 Windows / Mac Fixed (APSB15-18)
13.0.0.306 Windows / Mac (extended support) Fixed (APSB15-18)
11.2.202.491 Linux Fixed (APSB15-18)
All versions All EOL — no further patches

Technical Details

Root Cause: Use-After-Free in AS3 DisplayObject

CVE-2015-5122 is a use-after-free (CWE-416) in Flash's ActionScript 3 DisplayObject class — the base class for all visual elements in Flash (sprites, movie clips, text fields, bitmaps). DisplayObject manages the display list (the visual hierarchy of elements on screen) and holds references to rendering state, event listeners, and parent/child relationships.

The UAF occurs when a DisplayObject instance is removed from the display list and freed, but a stale ActionScript reference continues to exist. When the freed object's memory is reallocated and subsequent operations are performed through the stale reference, type confusion occurs — allowing an attacker to:

  1. Control what data occupies the freed memory region
  2. Read and write Flash heap memory through the confused type system
  3. Identify function pointers and overwrite them with attacker-controlled values
  4. Execute arbitrary code

The exploitation technique is similar to CVE-2015-5119 but targets a different ActionScript class, providing a second independent code path for exploitation that remained available after CVE-2015-5119 was patched.

Hacking Team Breach Context

CVE-2015-5122 was the second zero-day found in Hacking Team's leaked exploit code. Researchers analyzing the 400GB breach dump found exploit code for three distinct Flash vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123), each targeting a different ActionScript class. This demonstrated that Hacking Team maintained an inventory of simultaneous Flash zero-days — a level of zero-day depth normally associated only with nation-state intelligence agencies.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (Flash auto-executes)
Origin Hacking Team breach (July 5, 2015)
Exploit Kits Angler, Nuclear, Magnitude
Patched APSB15-18 (July 14, 2015) — 9 days after breach

Discovery

Identified by security researchers analyzing the Hacking Team breach dump beginning July 5, 2015. Adobe released APSB15-18 on July 14, 2015 addressing both CVE-2015-5122 and CVE-2015-5123.

Exploitation Context

  • Sequential Hacking Team zero-day wave: The Hacking Team breach produced a sequential series of Flash zero-days: CVE-2015-5119 was patched July 8, CVE-2015-5122 and CVE-2015-5123 were patched July 14 — organizations that patched APSB15-16 promptly were still exposed to two additional unpatched zero-days for another six days
  • Exploit kit adoption: Exploit kits integrated CVE-2015-5122 as a fallback for targets that had already patched CVE-2015-5119, extending their effective exploitation window
  • Ransomware delivery: As with other Flash zero-days in 2015, the primary exploit kit payloads were ransomware (CryptoWall, TeslaCrypt, CryptoLocker variants), with some campaigns delivering banking trojans
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; all known Flash vulnerabilities remain permanently unpatched for remaining installations
  • CISA KEV (2022): Added April 2022

Remediation

CISA BOD 22-01 Deadline: May 4, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life with no further security updates.

  2. Migrate Flash-dependent applications — identify remaining Flash content (internal apps, kiosks, ICS HMIs) and migrate to HTML5 or another supported technology.

  3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

  4. Browser controls — all modern browsers have removed Flash support. IE11 with Flash (if still present) should be upgraded to Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2015-5122
Vendor / Product Adobe — Flash Player
NVD Published2015-07-14
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-416 — Use After Free find similar ↗
CISA KEV Added2022-04-13
CISA KEV Deadline2022-05-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-04. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-07-05Hacking Team breach: CVE-2015-5122 exploit code exposed alongside CVE-2015-5119 and CVE-2015-5123
2015-07-10Security researchers identify CVE-2015-5122 (DisplayObject UAF) in leaked Hacking Team data; exploit kit integration begins
2015-07-14Adobe releases APSB15-18 patching CVE-2015-5122 and CVE-2015-5123 in Flash Player 18.0.0.213
2015-07-14CVE-2015-5122 published by NVD
2020-12-31Adobe Flash Player reaches end-of-life
2022-04-13Added to CISA Known Exploited Vulnerabilities catalog
2022-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-5122 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-18 — Security Update for Adobe Flash Player Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML