CVE-2015-0336
published 2015-03-13CVE-2015-0336: Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute…
PriorityP181critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.54%
99.3th percentile
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | <= 13.0.0.264 | — |
| adobe | flash_player | <= 11.2.202.442 | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/↗
- →The exploit delivers two SWF files: a main exploit SWF (msf.swf) and a trigger SWF (trigger.swf), both served with Content-Type application/x-shockwave-flash. Detect HTTP responses serving SWF content referencing CVE-2015-0336 exploit paths. ↗
- →The Metasploit module targets Windows 7 SP1 (32-bit) with IE 8/IE11 and Adobe Flash 16.0.0.305 specifically. Browser requirement checks for Flash version matching ^16\. — use this to scope detection to vulnerable Flash versions. ↗
- →The Angler Exploit Kit used 302 cushioning and domain shadowing to deliver the Flash CVE-2015-0336 exploit. The function name 'flash_run' appears in the exploit kit's deobfuscated code as the handler for this specific CVE. ↗
- →Angler EK payload was delivered as an LZMA compressed SWF followed by an encrypted malware payload. Detect LZMA-compressed SWF files in HTTP traffic as a sign of Angler EK exploitation. ↗
- →The exploit HTML template embeds the SWF via an <object> tag with FlashVars parameters 'sh' and 'tr'. Detect HTML pages containing both FlashVars with 'sh=' and 'tr=' parameters alongside SWF object tags as a potential exploit delivery indicator. ↗
- →The exploit targets the NetConnection class in Adobe Flash Player. Monitor for Flash processes spawning unexpected child processes (e.g., cmd.exe, powershell.exe) as a post-exploitation indicator. ↗
- ·The Metasploit module's browser requirements restrict exploitation to Windows 7 SP1 (32-bit) with Internet Explorer and Flash versions matching ^16.x. The module will not fire against other OS/browser/Flash version combinations without modification. ↗
- ·CVE-2015-0336 is a distinct type confusion vulnerability from CVE-2015-0334, though both affect the same Flash Player versions and were fixed in the same advisory (APSB15-05). Ensure detection rules differentiate between the two CVEs. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vf82-rw34-q9xr: Adobe Flash Player before 13
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2015-0334 [CRITICAL] GHSA-vf82-rw34-q9xr: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0336.
GHSA
GHSA-x9gp-g79c-8994: Adobe Flash Player before 13
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2015-0336 [CRITICAL] GHSA-x9gp-g79c-8994: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
Project0
A Tale of Two Exploits - Project Zero
project_zero·2015-04-01·CVSS 9.3
CVE-2015-0334 [CRITICAL] A Tale of Two Exploits - Project Zero
Posted by Natalie Silvanovich, Collision Investigator and (Object) Field Examiner
CVE-2015-0336 is a type confusion vulnerability in the AS2 NetConnection class. I reported this issue in January and soon wrote a proof-of-concept exploit for the bug. The issue was patched by Adobe in March and less than a week later, in what was likely a case of bug collision, it was found in two exploit kits in the wild. This created an interesting opportunity to compare a real exploit to a theoretical one and better understand how attackers exploit Flash vulnerabilities.
##
##
The Bug
CVE-2105-0336 is caused by a faulty check in the ActionScript 2 NetConnection class. To understand the bug, it is important to understand the structure of AS2 objects.
ActionScript 2 is a legacy scripting language supp
OSV
CVE-2015-0336: Adobe Flash Player before 13
osv·2015-03-13·CVSS 9.3
CVE-2015-0336 [CRITICAL] CVE-2015-0336: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
OSV
CVE-2015-0334: Adobe Flash Player before 13
osv·2015-03-13·CVSS 9.3
CVE-2015-0334 [CRITICAL] CVE-2015-0334: Adobe Flash Player before 13
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0336.
VulnCheck
Adobe Flash Player Access of Resource Using Incompatible Type ('Type Confusion')
vulncheck·2015·CVSS 9.3
CVE-2015-0336 [CRITICAL] Adobe Flash Player Access of Resource Using Incompatible Type ('Type Confusion')
Adobe Flash Player Access of Resource Using Incompatible Type ('Type Confusion')
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/
Red Hat
flash-plugin: multiple code execution issues fixed in APSB15-05
vendor_redhat·2015-03-12·CVSS 9.3
CVE-2015-0334 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-05
flash-plugin: multiple code execution issues fixed in APSB15-05
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0336.
Red Hat
flash-plugin: multiple code execution issues fixed in APSB15-05
vendor_redhat·2015-03-12·CVSS 9.3
CVE-2015-0336 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-05
flash-plugin: multiple code execution issues fixed in APSB15-05
Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.
No detection rules found.
Exploit-DB
Adobe Flash Player - NetConnection Type Confusion (Metasploit)
exploitdb·2015-05-08
CVE-2015-0336 Adobe Flash Player - NetConnection Type Confusion (Metasploit)
Adobe Flash Player - NetConnection Type Confusion (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Adobe Flash Player NetConnection Type Confusion',
'Description' => %q{
This module exploits a type confusion vulnerability in the NetConnection class on
Adobe Flash Player. When using a correct memory layout this vulnerability allows
to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
vectors, and finally accomplish remote code execution. This module has been tested
successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Natalie Silvanovich', # Vulnerabili
Metasploit
Adobe Flash Player NetConnection Type Confusion
metasploit
Adobe Flash Player NetConnection Type Confusion
Adobe Flash Player NetConnection Type Confusion
This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code execution. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.424. * Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash 11.2.202.442.
Bugzilla
flash-plugin: multiple code execution issues fixed in APSB15-05
bugzilla·2015-03-13·CVSS 10.0
CVE-2015-0332 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-05
flash-plugin: multiple code execution issues fixed in APSB15-05
Adobe Security Bulletin APSB15-05 for Adobe Flash Player describes multiple flaws that can possibly lead to code execution when Flash Player is used to play a specially crafted SWF file.
Quoting from the APSB15-05:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0332, CVE-2015-0333, CVE-2015-0335, CVE-2015-0339).
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-0334, CVE-2015-0336).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-0338).
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-0341, CVE-2015-0342).
External Referenc
Microsoft
Understanding type confusion vulnerabilities: CVE-2015-0336 | Microsoft Security Blog
blogs_microsoft·2015-06-17·CVSS 9.3
[CRITICAL] Understanding type confusion vulnerabilities: CVE-2015-0336 | Microsoft Security Blog
Research
June 17, 2015
## Related posts
March 12
March 12
March 11
## Get started with Microsoft Security
Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.
Connect with us on social
Careers
About Microsoft
Company news
Privacy at Microsoft
Investors
Diversity and inclusion
Accessibility
Sustainability
Zscaler
Angler EK Utilizing 302 Cushioning & Domain Shadowing | Blog
blogs_zscaler·2015-04-03·CVSS 7.8
[HIGH] Angler EK Utilizing 302 Cushioning & Domain Shadowing | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Huntress
What Is Type Confusion and How Does It Work? | Huntress
blogs_huntress
What Is Type Confusion and How Does It Work? | Huntress
## How does type confusion actually work?
Think of a program's memory as a massive warehouse full of different kinds of boxes. Each box is designed to hold a specific type of item—one holds numbers, another holds text, and a third holds instructions for the computer.
## The Programming Mix-Up
In programming, these "boxes" are called objects or variables, and they have defined "types." A string type holds text, an integer type holds whole numbers, and a pointer type holds a memory address. A type confusion vulnerability happens when a programmer makes a mistake, causing the program to lose track of what’s in which box.
Imagine the program is supposed to grab a box containing a simple number (an integer). But due to a flaw in the code, it grabs a different box—one that holds a set of ins
arXiv
Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations
arxiv_fulltext·2025-08-14
Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations
-30pt
footnote0
## Abstract
Advances in artificial intelligence are widely understood to have implications for cybersecurity. Articles have emphasized the effect of AI on the cyber offense-defense balance, and credible commentators can be found arguing either that cyber will privilege attackers or defenders. For defenders, arguments are often made that AI will enable solutions like formal verification of all software—and for some well-equipped companies, this may be true. This conversation, however, does not match the reality for most companies. ``Trailing-edge organizations,'' as we term them, rely heavily on legacy software, poorly staff security roles, and struggle to implement best practices like rapid deployment of security patches. These decisions may be the result of corporate ine
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00017.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0697.htmlhttp://www.securityfocus.com/bid/73084http://www.securitytracker.com/id/1031922https://helpx.adobe.com/security/products/flash-player/apsb15-05.htmlhttps://security.gentoo.org/glsa/201503-09https://www.exploit-db.com/exploits/36962/http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00017.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0697.htmlhttp://www.securityfocus.com/bid/73084http://www.securitytracker.com/id/1031922https://helpx.adobe.com/security/products/flash-player/apsb15-05.htmlhttps://security.gentoo.org/glsa/201503-09https://www.exploit-db.com/exploits/36962/
2015-03-13
Published
Exploited in the wild