CVE-2015-5540

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player and Adobe AIR, affecting Windows and OS X versions before 18.0.0.232, Linux versions before 11.2.202.508, and AIR versions before 18.0.0.199 [1][3]. The bug is triggered when a watch is set on the childNodes object of an XML node and the XML tree is manipulated (e.g., appending a child), causing the watch function to delete child nodes while the original enumeration still accesses the freed buffer [2]. This is one of several similar vulnerabilities (CVE-2015-5127, etc.) [description].

Exploitation

An attacker can exploit this by delivering a specially crafted SWF file to the victim. No authentication is required; only user interaction (opening the file or visiting a malicious site) is needed [1]. The exploit sequence involves setting a watch on the length property of the childNodes array, then appending a child node. The watch handler removes all child nodes, causing the underlying buffer to be freed while the original function still references it [2]. This enables control of the freed memory to achieve code execution.

Impact

Successful exploitation allows arbitrary code execution in the context of the user running the Flash process [1][3]. An attacker could gain full control over the affected system, potentially leading to data disclosure, denial of service, or further compromise [3].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199 [1][3]. Users should upgrade immediately as there is no known workaround [3]. Red Hat and Gentoo have issued advisories urging updates [1][3].