CVE-2015-5551

Vulnerability

CVE-2015-5551 is a use-after-free vulnerability in Adobe Flash Player affecting versions before 18.0.0.232 on Windows and OS X, and before 11.2.202.508 on Linux. It also affects Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199. The vulnerability is triggered via unspecified vectors, as noted in the official description [1][2]. This issue is part of a larger set of Flash Player vulnerabilities disclosed in August 2015.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted SWF file, typically by visiting a malicious web page or opening a malicious email attachment. No authentication is required, and the attacker does not need any special network position beyond being able to deliver the crafted content. The user interaction required is minimal (e.g., clicking a link or opening a file). The exact exploitation steps are not publicly detailed, but the use-after-free condition can be triggered through crafted ActionScript or other Flash content [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the Flash Player. This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within a network. The impact is rated as critical, with a CVSS score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1].

Mitigation

Adobe released fixed versions on August 11, 2015: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199. Users should update immediately via the Adobe update mechanism or by downloading the latest version from Adobe's website. Red Hat issued RHSA-2015:1603 for affected Red Hat Enterprise Linux versions [1], and Gentoo published GLSA 201508-01 [2]. No workarounds are available; the only mitigation is to apply the patch or disable Flash Player if updating is not possible.