VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2015· Updated May 6, 2026

CVE-2015-3136

CVE-2015-3136

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player before 18.0.0.203 allows remote attackers to execute arbitrary code via unspecified vectors.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player versions before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux. Adobe AIR, AIR SDK, and AIR SDK & Compiler versions before 18.0.0.180 are also affected. The vulnerability arises due to improper memory handling when processing Flash content, and can be triggered by unspecified vectors [1][2].

Exploitation

An attacker can remotely exploit this vulnerability by convincing a user to open specially crafted Flash content, such as a malicious SWF file, in a browser or other application using the vulnerable Flash Player. No authentication is required, and user interaction is limited to opening the content [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the affected system with the privileges of the user running the Flash Player. This can lead to full compromise of the system, including data theft, installation of malware, and further lateral movement within a network [1][2].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.203 (Windows/Mac), 13.0.0.302 (extended support release), and 11.2.202.481 (Linux); AIR 18.0.0.180. Red Hat and Gentoo have also issued updated packages [1][2]. Users should immediately update to the latest versions available from Adobe or their operating system vendor.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1214.html
  2. Multiple vulnerabilities (GLSA 201507-13) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

29
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: before 18.0.0.180
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: before 18.0.0.180
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=18.0.0.144
  • Adobe Inc./Flashplayer21 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
  • Adobe Inc./Flash Playerllm-fuzzy
    Range: before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 (Windows/OS X); before 11.2.202.481 (Linux)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.481-93.1+ 1 more
    • (no CPE)range: < 11.2.202.481-93.1
    • (no CPE)range: < 11.2.202.481-93.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.