VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2015· Updated May 6, 2026

CVE-2015-3137

CVE-2015-3137

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player before 18.0.0.203 allows remote attackers to execute arbitrary code.

Vulnerability

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, before 11.2.202.481 on Linux, and in Adobe AIR before 18.0.0.180, allowing arbitrary code execution through unspecified vectors [1][2].

Exploitation

The vulnerability can be exploited by an attacker who convinces a user to open a malicious Flash file (e.g., via a web page or email). No authentication is required, and the attacker does not need any prior access. The exploitation occurs when the Flash player processes the crafted content, triggering the use-after-free condition [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected system, potentially leading to full compromise of the user's machine. This includes the ability to install programs, view, change, or delete data, and create new accounts with full user rights [1][2].

Mitigation

Adobe released updates for Flash Player: versions 13.0.0.302 and 18.0.0.203 for Windows/OS X, 11.2.202.481 for Linux, and AIR 18.0.0.180. Users should apply the latest version from Adobe's website or via their distribution's package manager. Red Hat and Gentoo have issued advisories urging immediate updates [1][2].

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1214.html
  2. Multiple vulnerabilities (GLSA 201507-13) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

28
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: < 18.0.0.180
  • Adobe Inc./Air Sdk
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
    Range: <=18.0.0.144
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=18.0.0.144
  • Adobe Inc./Flashplayer22 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
    • (no CPE)range: < 13.0.0.302 (Windows/OS X), < 18.0.0.203 (14.x-18.x on Windows/OS X), < 11.2.202.481 (Linux)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.481-93.1+ 1 more
    • (no CPE)range: < 11.2.202.481-93.1
    • (no CPE)range: < 11.2.202.481-93.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.