Adobe Flash Player ByteArray valueOf Use-After-Free RCE
CVE-2015-5119 is a use-after-free vulnerability in the ActionScript 3 ByteArray class implementation in Adobe Flash Player. The flaw is triggered by crafted Flash content that overrides a valueOf function, leading to memory corruption during ByteArray handling. A remote attacker can exploit the resulting dangling-pointer condition to achieve arbitrary code execution or crash the process. The issue affected Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X, and 11.x through 11.2.202.468 on Linux. The vulnerability was exploited in the wild in July 2015 after exposure in the Hacking Team leak.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept (POC) exploit for CVE-2015-5119, a critical vulnerability in Adobe Flash Player. The repository consists of four ActionScript (.as) files and a README. The main file, '0_poc.as', demonstrates the core exploit technique: it manipulates a ByteArray object and uses a custom valueOf method on an object to trigger a memory corruption condition. The other ActionScript files ('1_simplebyte.as', '2_simpleobject.as', '3_object_withvalueOf.as') provide simplified or incremental examples of ByteArray and object manipulation, likely to illustrate the steps leading up to the full exploit. There are no hardcoded network endpoints or file paths; the exploit is designed to be run in a Flash environment, typically within a browser. The code serves as a POC for researchers or analysts studying the vulnerability, rather than a weaponized exploit.
This repository contains a full exploit for CVE-2015-5119, a critical use-after-free vulnerability in Adobe Flash Player. The exploit is implemented in ActionScript 3 and is designed to be compiled into a malicious SWF file (CVE-2015-5119.swf), which is then loaded via an HTML page (bin/index.html) using JavaScript (swfobject.js). The exploit leverages heap spraying and memory corruption techniques to achieve arbitrary code execution. The code is modular, with separate classes for memory manipulation (ExploitByteArray, ExploitVector), ELF/PE parsing (Elf.as, PE.as, PE64.as), and the main exploit logic (Exploit.as, MyClass.as, Exploiter.as, Exploiter64.as). The exploit is capable of targeting both Windows and Linux platforms, depending on the payload and platform parameters. The payload is provided as a base64-encoded string, decoded at runtime, and executed as shellcode. The repository is operational and provides a working exploit chain, but the payload must be supplied by the attacker. No hardcoded C2 or network endpoints are present; exploitation is achieved via browser delivery of the SWF file.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-day remote code execution vulnerability in Adobe Flash Player disclosed via the HackingTeam leak and significant because exploit code was exposed publicly before Adobe issued a patch.
A vulnerability heavily used by named threat actors (details not specified in content).
A vulnerability frequently used by named threat actors, likely for remote code execution.
An Adobe Flash vulnerability (zero-day at time of leak) disclosed via the 2015 Hacking Team leak.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.