VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 10, 2015· Updated May 6, 2026

CVE-2015-3103

CVE-2015-3103

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3106 and CVE-2015-3107.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player before 13.0.0.292/18.0.0.160/11.2.202.466 allows remote code execution via unspecified vectors.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player versions before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X, and before 11.2.202.466 on Linux. It also affects Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, as well as the AIR SDK and AIR SDK & Compiler on those platforms. The flaw is triggered via unspecified vectors, likely involving crafted SWF content [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious Flash file, typically through a web page or email attachment. No authentication is required, and the attack can be launched remotely. The exact exploitation steps are not disclosed in the available references, but the use-after-free condition can be triggered to achieve code execution [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected process. This can lead to full system compromise, including data theft, installation of malware, or denial of service. The vulnerability may also be used to bypass security restrictions or obtain sensitive information [2].

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.292, 18.0.0.160, and 11.2.202.466; AIR 18.0.0.144 (Windows) and 18.0.0.143 (OS X, Android); and corresponding updates for the AIR SDK and AIR SDK & Compiler. Users should update immediately via the vendor's update mechanism or package manager (e.g., emerge on Gentoo). No workaround is available [1][2].

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1086.html
  2. Multiple vulnerabilities (GLSA 201506-01) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.144
    • (no CPE)range: <18.0.0.144 (Windows) and <18.0.0.143 (OS X and Android)
  • Adobe Inc./Air Sdk
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
    Range: <=17.0.0.172
  • Adobe Inc./Air Sdk \& Compiler2 versions
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=17.0.0.172
    • (no CPE)range: <18.0.0.144 (Windows) and <18.0.0.143 (OS X)
  • Adobe Inc./Flashplayer19 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 18 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • (no CPE)range: <13.0.0.292 (Windows/OS X) and <18.0.0.160 (Windows/OS X 14.x-18.x) and <11.2.202.466 (Linux)
  • Google/Android
    cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.466-86.1+ 1 more
    • (no CPE)range: < 11.2.202.466-86.1
    • (no CPE)range: < 11.2.202.466-86.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.