VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2015· Updated May 6, 2026

CVE-2015-4430

CVE-2015-4430

Description

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, and CVE-2015-5117.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player before 18.0.0.203 allows remote attackers to execute arbitrary code via unspecified vectors.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X, and before 11.2.202.481 on Linux, as well as in Adobe AIR before 18.0.0.180 and related SDKs [1][2]. The flaw is triggered via unspecified vectors, indicating a memory corruption issue where an object is accessed after it has been freed.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash (SWF) file, typically delivered through a web page, email attachment, or other means. No authentication is required; the attacker only needs to serve the malicious content to the victim. The exact exploitation sequence is not publicly detailed, but it involves triggering the use-after-free condition to achieve code execution.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected Flash Player process. This can lead to full system compromise, including data theft, installation of malware, or further lateral movement within a network. The vulnerability is rated critical with a CVSS score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.203 (Windows/OS X), 11.2.202.481 (Linux), and AIR 18.0.0.180 [1][2]. Users should update immediately. Red Hat and Gentoo have also issued advisories urging upgrades. No workarounds are available; the only mitigation is applying the patch.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1214.html
  2. Multiple vulnerabilities (GLSA 201507-13) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

30
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: <18.0.0.180
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: <18.0.0.180
  • Adobe Inc./Air Sdk \& Compiler2 versions
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.144
    • (no CPE)range: <18.0.0.180
  • Adobe Inc./Flashplayer22 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
    • (no CPE)range: <18.0.0.203 (Windows/OS X) and <11.2.202.481 (Linux)
  • osv-coords2 versions
    pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
    < 11.2.202.481-93.1+ 1 more
    • (no CPE)range: < 11.2.202.481-93.1
    • (no CPE)range: < 11.2.202.481-93.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.