Unrated severityNVD Advisory· Published Feb 6, 2015· Updated May 6, 2026

CVE-2015-0315

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0313, CVE-2015-0320, and CVE-2015-0322.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player allows remote code execution; fixed in versions 13.0.0.269, 16.0.0.305, and 11.2.202.442.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X, and before 11.2.202.442 on Linux [1][2][3]. The flaw is triggered via unspecified vectors, likely involving crafted SWF content that corrupts memory after an object is freed.

Exploitation

An attacker can exploit this vulnerability by hosting a malicious SWF file on a website or embedding it in an email. The victim must open the file in a vulnerable Flash Player instance (e.g., via a web browser). No authentication or special privileges are required; the attack relies on user interaction to load the crafted content. The exact sequence of steps is not publicly detailed, but the use-after-free condition is triggered during Flash Player's processing of the SWF data.

Impact

Successful exploitation allows arbitrary code execution in the context of the user running Flash Player. This can lead to full system compromise, including data theft, installation of malware, or further lateral movement within a network. The vulnerability is rated as critical due to the potential for remote code execution without user interaction beyond opening the malicious file.

Mitigation

Adobe released fixed versions: 13.0.0.269, 16.0.0.305 (Windows/OS X), and 11.2.202.442 (Linux). Microsoft provided updates for Flash in Internet Explorer and Edge [1], Red Hat issued RHSA-2015:0140 [2], and Gentoo published GLSA 201502-02 [3]. Users should apply the latest updates immediately. No workarounds are available; updating is the only mitigation.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Flashplayer16 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.264
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- (no CPE)range: <13.0.0.269 && >=14.0 <16.0.0.305 || <11.2.202.442 on Linux
osv-coords2 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.442-67.1+ 1 more
- (no CPE)range: < 11.2.202.442-67.1
- (no CPE)range: < 11.2.202.442-67.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000