CVE-2015-2424
Summary
| CVE | CVE-2015-2424 |
|---|---|
| State | PUBLISHED |
| Assigner | microsoft |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-07-14 21:59:35 UTC |
| Updated | 2026-04-22 16:30:45 UTC |
| Description | Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability." |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.644800000 probability, percentile 0.984620000 (date 2026-04-25)
CISA KEV: Listed on 2022-03-03; due 2022-03-24; ransomware use Unknown
Problem Types: CWE-787 | n/a | CWE-787 CWE-787 Out-of-bounds Write
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:M/Au:N/C:C/I:C/A:C
CISA Known Exploited Vulnerability
| Vendor | Microsoft |
|---|---|
| Product | PowerPoint |
| Name | Microsoft PowerPoint Memory Corruption Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2015-2424 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Microsoft | Excel Viewer | 2007 | sp3 | All | All |
| Application | Microsoft | Office | 2007 | sp3 | All | All |
| Application | Microsoft | Office | 2010 | sp2 | All | All |
| Application | Microsoft | Office | 2011 | All | All | All |
| Application | Microsoft | Office | 2013 | sp1 | All | All |
| Application | Microsoft | Office | 2013 | sp1 | All | All |
| Application | Microsoft | Office Compatibility Pack | - | sp3 | All | All |
| Application | Microsoft | Powerpoint | 2007 | sp3 | All | All |
| Application | Microsoft | Powerpoint | 2010 | sp2 | All | All |
| Application | Microsoft | Word | 2013 | sp1 | All | All |
| Application | Microsoft | Word Viewer | - | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Microsoft Office Multiple Flaws Let Remote Users Bypass ASLR and Execute Arbitrary Code - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Broken Link, Third Party Advisory, VDB Entry |
| Microsoft Security Bulletin MS15-070 - Important | Microsoft Docs | af854a3a-2127-422b-91ae-364da2661108 | docs.microsoft.com | Patch, Vendor Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2022-03-03T00:00:00.000Z | CVE-2015-2424 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.