CVE-2015-8820

high-risk

Published 2016-03-04

Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via crafted MPEG-4 data, a different vulnerability than CVE-2015-8045, CVE-2015-8047, CVE-2015-8060, CVE-2015-8408, CVE-2015-8416, CVE-2015-8417, CVE-2015-8418, CVE-2015-8419, CVE-2015-8443, CVE-2015-8444, CVE-2015-8451, CVE-2015-8455, CVE-2015-8652, CVE-2015-8654, CVE-2015-8656, CVE-2015-8657, and CVE-2015-8658.

Do I need to act?

8.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (10)

Flash Player

Flash Player Desktop Runtime

Flash Player

Air Sdk \& Compiler

Air

Flash Player

Air Desktop Runtime

Air Sdk

Affected Vendors

Adobe

References (6)

Exploit http://www.securityfocus.com/bid/84160

Third Party Advisory http://www.zerodayinitiative.com/advisories/ZDI-15-661

Patch https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

Exploit http://www.securityfocus.com/bid/84160

Third Party Advisory http://www.zerodayinitiative.com/advisories/ZDI-15-661

Patch https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 10/34 · Low

Exposure 16/34 · Moderate