CVE-2015-5557
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5559, CVE-2015-5561, CVE-2015-5563, CVE-2015-5564, and CVE-2015-5565.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before 18.0.0.232/11.2.202.508 allows remote code execution via unspecified vectors.
Vulnerability
CVE-2015-5557 is a use-after-free vulnerability in Adobe Flash Player. It affects Flash Player versions before 18.0.0.232 on Windows and OS X, and before 11.2.202.508 on Linux. It also affects Adobe AIR, AIR SDK, and AIR SDK & Compiler before 18.0.0.199. The vulnerability is triggered via unspecified vectors, and is one of a series of similar flaws disclosed in August 2015 [1][2].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash (SWF) file, typically via a malicious webpage or email attachment. No authentication is required, and the attack can be delivered remotely. The exact exploitation steps are not detailed in the available references, but the use-after-free condition can be leveraged to achieve code execution [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the affected system with the privileges of the user running Flash Player. This can lead to full compromise of the user's data and system, including installation of malware, data theft, or further lateral movement within a network [1][2].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199. Users should update immediately. Red Hat and Gentoo have issued advisories directing users to apply the updates [1][2]. No workaround is available; upgrading is the only mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.491
- (no CPE)range: <18.0.0.232 (Windows/OS X) and <11.2.202.508 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securityfocus.com/bid/76288nvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
News mentions
0No linked articles in our index yet.