CVE-2015-5558
Description
Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-5554, CVE-2015-5555, and CVE-2015-5562.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player and AIR type confusion vulnerability allows remote code execution via crafted SWF files.
Vulnerability
A type confusion vulnerability exists in Adobe Flash Player before 18.0.0.232 (Windows/OS X) and before 11.2.202.508 (Linux), as well as in Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199. The bug is triggered during Flash Player's handling of ActionScript objects, where an unspecified type confusion leads to memory corruption. No authentication or special configuration is required for the code path to be reachable; the vulnerability can be triggered simply by viewing a crafted SWF file. [1][2]
Exploitation
An attacker can exploit this vulnerability by hosting a maliciously crafted SWF file on a website or embedding it in an email or other document. The victim only needs to open the file or visit the page with a vulnerable Flash Player instance. No additional privileges or user interaction beyond normal browsing (e.g., clicking a link) are required. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the user's Flash Player process. This can lead to full compromise of the affected system, including reading or writing files, installing malware, and performing actions as the logged-in user. The vulnerability is rated critical with a CVSS base score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C). [1][2]
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux); AIR 18.0.0.199, AIR SDK 18.0.0.199, and AIR SDK & Compiler 18.0.0.199. Users should update immediately. Red Hat and Gentoo have also issued advisories pointing users to the updated packages. [1][2]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
- Range: <18.0.0.232 (Windows/OS X), <11.2.202.508 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securityfocus.com/bid/76287nvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
News mentions
0No linked articles in our index yet.