VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2015· Updated May 6, 2026

CVE-2015-3129

CVE-2015-3129

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player before 18.0.0.203 allows attackers to execute arbitrary code via unspecified vectors.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player versions before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux. It also affects Adobe AIR before 18.0.0.180 and related SDKs. The flaw is triggered via unspecified vectors, and is one of several use-after-free vulnerabilities (CVE-2015-3129, CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5117) patched in the same update. [1][2]

Exploitation

An attacker can exploit this flaw by convincing a user to open a crafted Flash file or visit a malicious website. No authentication is required; the attacker only needs the victim to interact with the content. The exact sequence of steps is not publicly detailed, but the use-after-free condition can be triggered remotely through Flash Player's rendering of SWF content. [1][2]

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected process. This could lead to full compromise of the user's system, including data theft, installation of malware, or further network propagation. The vulnerability can also potentially cause a denial of service or security restriction bypass. [1][2]

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.302 and 18.0.0.203 (Windows/OS X) and 11.2.202.481 (Linux); Adobe AIR 18.0.0.180 and corresponding SDKs. Red Hat's advisory [1] provides packages for RHEL; Gentoo's GLSA [2] provides updated versions. Users should upgrade immediately. No workarounds are known. This CVE is not listed in CISA's KEV. [1][2]

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1214.html
  2. Multiple vulnerabilities (GLSA 201507-13) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

29
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: <18.0.0.180
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: <18.0.0.180
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=18.0.0.144
  • Adobe Inc./Flashplayer22 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
    • (no CPE)range: <13.0.0.302 (Win/OS X) or <11.2.202.481 (Linux) or 14.x-18.x <18.0.0.203
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.481-93.1+ 1 more
    • (no CPE)range: < 11.2.202.481-93.1
    • (no CPE)range: < 11.2.202.481-93.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.