Search
On this page ▾
CVE-2015-5123 — Adobe Flash Player Use-After-Free Vulnerability

CVE-2015-5123

Adobe Flash Player — UAF in AS3 BitmapData Class; Third Hacking Team Breach Zero-Day; Patched APSB15-18 (July 2015)
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is Adobe Flash Player?

Adobe Flash Player was the ubiquitous cross-platform multimedia browser plugin, installed on over 90% of internet-connected computers at peak deployment. Flash's universal presence made every Flash vulnerability a potential attack vector against virtually any Windows, macOS, or Linux system with a browser. Adobe ended Flash Player support December 31, 2020.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-5123 is the third Flash zero-day exposed by the July 2015 Hacking Team breach — a use-after-free in the ActionScript 3 BitmapData class. It was discovered alongside CVE-2015-5122 (DisplayObject UAF) in Hacking Team's leaked exploit code and patched together in Adobe's APSB15-18 (July 14, 2015). The three Hacking Team Flash zero-days (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) collectively represented a simultaneous cache of Flash exploits that made July 2015 the worst month for Flash zero-days in the plugin's history.

Affected Versions

Flash Player Platform Status
≤ 18.0.0.209 Windows / Mac Vulnerable
≤ 13.0.0.302 Windows / Mac (extended support) Vulnerable
≤ 11.2.202.481 Linux Vulnerable
18.0.0.213 Windows / Mac Fixed (APSB15-18)
13.0.0.306 Windows / Mac (extended support) Fixed (APSB15-18)
11.2.202.491 Linux Fixed (APSB15-18)
All versions All EOL — no further patches

Technical Details

Root Cause: Use-After-Free in AS3 BitmapData

CVE-2015-5123 is a use-after-free (CWE-416) in Flash's BitmapData class — a core ActionScript 3 type representing a pixel array used for bitmap image manipulation, pixel blitting, and graphics operations. BitmapData objects hold references to pixel data buffers allocated in Flash's heap.

The UAF occurs through:

  1. A BitmapData object is freed or garbage collected while a stale ActionScript reference remains
  2. The freed memory is reallocated for an attacker-controlled object (via heap grooming with predictable AS3 allocations)
  3. Operations on the stale BitmapData reference interact with the attacker-controlled allocation
  4. This provides the attacker with type confusion — treating attacker-controlled data as a BitmapData object — enabling controlled heap read/write

Combined with a heap spray to place predictable data at known addresses, this class of UAF is highly reliable for achieving code execution in Flash's JIT-compiled ActionScript environment.

Three Zero-Days, One Breach

The Hacking Team breach simultaneously exposed three distinct Flash UAFs targeting three different AS3 classes:

CVE AS3 Class Patched
CVE-2015-5119 ByteArray APSB15-16 (July 8)
CVE-2015-5122 DisplayObject APSB15-18 (July 14)
CVE-2015-5123 BitmapData APSB15-18 (July 14)

Each targets a different Flash subsystem — binary data, display rendering, and pixel graphics respectively — demonstrating that Hacking Team's researchers had conducted deep, systematic analysis of Flash's memory management across multiple components.

Attack Characteristics

Attribute Detail
Attack Vector Network — malicious SWF via web page or ad
Authentication None required
User Interaction None required (Flash auto-executes)
Origin Hacking Team breach (July 5, 2015)
Patched APSB15-18 (July 14, 2015) — 9 days after breach

Discovery

Identified by security researchers analyzing the Hacking Team breach dump. Adobe patched CVE-2015-5123 alongside CVE-2015-5122 in APSB15-18 on July 14, 2015, six days after the first Hacking Team Flash patch (APSB15-16 for CVE-2015-5119).

Exploitation Context

  • Depth of zero-day inventory: The existence of three simultaneous Flash zero-days in a single company's exploit toolkit was remarkable; it indicated that well-resourced offensive security teams were conducting systematic Flash vulnerability research across multiple internal subsystems
  • Cascading exploitation windows: The sequential release of three patches over nine days meant that even organizations with excellent patch management were exposed to at least one Hacking Team Flash zero-day for the entire period; organizations patching APSB15-16 immediately still faced CVE-2015-5122 and CVE-2015-5123 for six more days
  • Exploit kit arsenal expansion: Exploit kits added each Hacking Team zero-day to their arsenal; Angler in particular rapidly integrated all three CVEs, using whichever remained unpatched on the target system
  • Flash EOL legacy: Flash is permanently end-of-life since December 2020; all known Flash vulnerabilities remain permanently unpatched
  • CISA KEV (2022): Added April 2022

Remediation

CISA BOD 22-01 Deadline: May 4, 2022. The impacted product is end-of-life and should be disconnected if still in use.

  1. Remove Flash Player — uninstall from all systems. Adobe's Flash uninstaller and Microsoft's KB4577586 (Windows Update) remove Flash from Windows. Flash is permanently end-of-life with no further security updates.

  2. Migrate Flash-dependent applications — identify remaining Flash content (internal apps, kiosks, ICS HMIs) and migrate to HTML5 or another supported technology.

  3. Network isolation — Flash-dependent systems that cannot be decommissioned should be isolated from internet access and untrusted networks.

  4. Browser controls — all modern browsers have removed Flash support. IE11 with Flash (if still present) should be upgraded to Edge or Chrome.

Key Details

PropertyValue
CVE ID CVE-2015-5123
Vendor / Product Adobe — Flash Player
NVD Published2015-07-14
NVD Last Modified2025-11-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-416 — Use After Free find similar ↗
CISA KEV Added2022-04-13
CISA KEV Deadline2022-05-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-04. The impacted product is end-of-life and should be disconnected if still in use.

Timeline

DateEvent
2015-07-05Hacking Team breach: CVE-2015-5123 exploit code exposed alongside CVE-2015-5119 and CVE-2015-5122
2015-07-10Security researchers identify CVE-2015-5123 (BitmapData UAF) in leaked Hacking Team data
2015-07-14Adobe releases APSB15-18 patching CVE-2015-5123 and CVE-2015-5122 in Flash Player 18.0.0.213
2015-07-14CVE-2015-5123 published by NVD
2020-12-31Adobe Flash Player reaches end-of-life
2022-04-13Added to CISA Known Exploited Vulnerabilities catalog
2022-05-04CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-5123 Vulnerability Database
CISA KEV Catalog Entry US Government
Adobe Security Bulletin APSB15-18 — Security Update for Adobe Flash Player Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML