CVE-2015-4428
Description
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4430, and CVE-2015-5117.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before multiple versions allows remote code execution via unspecified vectors, exploited in the wild.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player versions before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux, as well as in Adobe AIR before 18.0.0.180 and related SDKs. The flaw occurs due to improper memory management when processing certain SWF content, allowing an attacker to manipulate freed memory. The vulnerable code path is reachable without special configuration; simply loading a crafted Flash file triggers the condition [1][2].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious SWF file on a website or injecting it into a trusted domain. The victim must visit the compromised page using a browser or application that runs the vulnerable Flash Player version. No user interaction beyond normal browsing (e.g., clicking a link or playing a video) is required. The attacker does not need any prior authentication or local access. The use-after-free is triggered through unspecified vectors, allowing the attacker to hijack control flow [1].
Impact
Successful exploitation leads to arbitrary code execution in the context of the currently logged-in user. The attacker gains the ability to run arbitrary commands, potentially leading to full system compromise, including data theft, installation of malware, or further network propagation. The impact is rated critical due to the lack of user interaction needed and the widespread use of Flash Player at the time [1][2].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.203 (Windows/OS X), 11.2.202.481 (Linux), and AIR 18.0.0.180. Red Hat and Gentoo advisories confirm updates are available via their respective channels. Users should update immediately; no workaround is available. This vulnerability is part of a group of Flash Player flaws that were actively exploited, and the CVE has been cited in KEV listings [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
- (no CPE)range: <18.0.0.180
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.144
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- Range: <18.0.0.203
- osv-coords2 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.481-93.1+ 1 more
- (no CPE)range: < 11.2.202.481-93.1
- (no CPE)range: < 11.2.202.481-93.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- helpx.adobe.com/security/products/flash-player/apsb15-16.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1214.htmlnvd
- www.securityfocus.com/bid/75590nvd
- www.securitytracker.com/id/1032810nvd
- security.gentoo.org/glsa/201507-13nvd
News mentions
0No linked articles in our index yet.