CVE-2015-5130
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5557, CVE-2015-5559, CVE-2015-5561, CVE-2015-5563, CVE-2015-5564, and CVE-2015-5565.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Adobe Flash Player allowing remote code execution when setting the scrollRect of a MovieClip.
Vulnerability
CVE-2015-5130 is a use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X, and before 11.2.202.508 on Linux, as well as Adobe AIR before 18.0.0.199 and related SDKs [1][3]. The bug occurs when setting the scrollRect attribute of a MovieClip in ActionScript 2 (AS2) with a custom Rectangle, causing the MovieClip to be freed while a reference remains on the stack [2].
Exploitation
An attacker can exploit this by crafting a malicious SWF file that triggers the use-after-free. No authentication is required; the user must only open the file or visit a web page hosting the SWF. The exploitation sequence involves setting the scrollRect to a custom rectangle and then creating a TextField at the same depth as the targeted MovieClip, which overwrites the freed memory and can lead to code execution [2].
Impact
Successful exploitation allows remote attackers to execute arbitrary code in the context of the Flash Player process, potentially leading to full system compromise [1][3].
Mitigation
Adobe has released patched versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199. Red Hat and Gentoo have also released updated packages [1][3]. There is no known workaround; users should upgrade immediately.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
- Range: <18.0.0.232 (Windows/OS X) | <11.2.202.508 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/76288nvdThird Party AdvisoryVDB Entry
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
- www.exploit-db.com/exploits/37854/nvd
News mentions
0No linked articles in our index yet.