CVE-2015-5562
Description
Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-5554, CVE-2015-5555, and CVE-2015-5558.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player, AIR, and SDKs before specific versions contain a type confusion vulnerability allowing arbitrary code execution.
Vulnerability
Adobe Flash Player before 18.0.0.232 on Windows and OS X, before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 contain an unspecified type confusion vulnerability [1]. This allows attackers to execute arbitrary code. The issue is distinct from CVE-2015-5554, CVE-2015-5555, and CVE-2015-5558. The affected versions include all those prior to the specified patched versions.
Exploitation
An attacker can exploit this vulnerability by delivering a specially crafted SWF file to a user. No authentication or specific user privileges are required beyond the user opening the malformed file in a vulnerable Flash Player instance. The vulnerability can be triggered remotely via a web page or other means of delivering the malicious SWF content [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the Flash Player process [1][2]. This could lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within a network.
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199. Red Hat issued RHSA-2015:1603 for affected RHEL packages [1]. Gentoo recommends upgrading to >=www-plugins/adobe-flash-11.2.202.508 [2]. Users should apply the appropriate updates as soon as possible.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.209
- (no CPE)range: <18.0.0.232 (Windows/OS X) and <11.2.202.508 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.508-0.14.1+ 3 more
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-0.14.1
- (no CPE)range: < 11.2.202.508-99.1
- (no CPE)range: < 11.2.202.508-99.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securityfocus.com/bid/76287nvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
News mentions
0No linked articles in our index yet.