CVE-2015-3106
Description
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466 on Linux, Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, Adobe AIR SDK before 18.0.0.144 on Windows and before 18.0.0.143 on OS X, and Adobe AIR SDK & Compiler before 18.0.0.144 on Windows and before 18.0.0.143 on OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3103 and CVE-2015-3107.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player's ActionScript 2 TextField.filters array allows remote code execution via crafted SWF.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player's ActionScript 2 TextField.filters array property [2]. The flaw affects Flash Player versions before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X, and before 11.2.202.466 on Linux. It also impacts Adobe AIR before 18.0.0.144 on Windows and before 18.0.0.143 on OS X and Android, as well as the AIR SDK and AIR SDK & Compiler on those platforms [1][3]. The vulnerability is triggered when the filters array is read while being modified, leading to a use-after-free condition [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious SWF file that, when opened by a victim, triggers the use-after-free. The exploit works by setting the TextField.filters array, which causes Flash to create an internal array. When the property is read, Flash iterates over this array and clones each filter. During this loop, the attacker can override a filter's constructor to execute arbitrary ActionScript 2 code. If that code alters the filters array, Flash frees the internal array, leaving a dangling pointer on the stack. When execution resumes, the freed memory is accessed, resulting in a use-after-free [2]. No authentication is required; the attacker only needs to convince the user to load the malicious SWF, typically via a web page or email attachment.
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the affected Flash Player or AIR runtime [1][3]. This can lead to full system compromise, including data theft, installation of malware, or further lateral movement within a network. The vulnerability is rated as critical with a CVSS score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1].
Mitigation
Adobe released fixed versions on June 9, 2015: Flash Player 18.0.0.160 (and 13.0.0.292 for older branches), AIR 18.0.0.144 on Windows and 18.0.0.143 on OS X and Android, and corresponding updates for the AIR SDK and AIR SDK & Compiler [1][3]. Red Hat issued RHSA-2015:1086 for affected Linux distributions [1], and Gentoo published GLSA 201506-01 [3]. No workaround is available; users must update to the patched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=17.0.0.172
- (no CPE)range: <=18.0.0.144 on Windows, <=18.0.0.143 on OS X and Android
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=17.0.0.172
- (no CPE)range: <=18.0.0.144 on Windows, <=18.0.0.143 on OS X
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=17.0.0.172
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.460
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- (no CPE)range: <=13.0.0.292 on Windows and OS X, <=18.0.0.160 on Windows and OS X, <=11.2.202.466 on Linux
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.466-86.1+ 1 more
- (no CPE)range: < 11.2.202.466-86.1
- (no CPE)range: < 11.2.202.466-86.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-11.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-06/msg00005.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-06/msg00009.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-06/msg00011.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1086.htmlnvd
- www.securityfocus.com/bid/75087nvd
- www.securitytracker.com/id/1032519nvd
- security.gentoo.org/glsa/201506-01nvd
- www.exploit-db.com/exploits/37847/nvd
News mentions
0No linked articles in our index yet.