CVE-2015-3132
Description
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before 18.0.0.203 allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before version 13.0.0.302 and versions 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux. The issue also affects Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180. The vulnerability is triggered via unspecified vectors, and is one of several similar use-after-free flaws disclosed in the same update (CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117) [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious SWF file and delivering it to a victim, typically through a compromised website or via email. No authentication is required; the victim only needs to open the file or visit a page that loads the Flash content. The attack is remote and does not require any special network position beyond the ability to serve the malicious content [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the Flash Player instance. This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within a network. The vulnerability is rated as critical with a CVSS score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1][2].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.203 (Windows/OS X) and 11.2.202.481 (Linux), and AIR 18.0.0.180. Red Hat provided updates via RHSA-2015:1214 for affected Red Hat Enterprise Linux versions [1]. Gentoo issued GLSA 201507-13 advising users to upgrade to the patched version [2]. No workaround is available; users must apply the updates to mitigate the risk.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.144
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.468
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- (no CPE)range: <18.0.0.203 (Windows/OS X) and <11.2.202.481 (Linux)
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.481-93.1+ 1 more
- (no CPE)range: < 11.2.202.481-93.1
- (no CPE)range: < 11.2.202.481-93.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- helpx.adobe.com/security/products/flash-player/apsb15-16.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1214.htmlnvd
- www.securityfocus.com/bid/75590nvd
- www.securitytracker.com/id/1032810nvd
- security.gentoo.org/glsa/201507-13nvd
News mentions
0No linked articles in our index yet.