CVE-2015-5564
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5557, CVE-2015-5559, CVE-2015-5561, CVE-2015-5563, and CVE-2015-5565.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux) and Adobe AIR before 18.0.0.199 allows arbitrary code execution via unspecified vectors.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X, and prior to 11.2.202.508 on Linux. It also affects Adobe AIR, AIR SDK, and AIR SDK & Compiler versions prior to 18.0.0.199. The vulnerability can be triggered via unspecified vectors, likely involving crafted Flash content [1][2].
Exploitation
An attacker can exploit this vulnerability by enticing a user to open a malicious SWF file or visit a compromised website hosting crafted Flash content. No authentication is required, and the attack can be performed remotely. The exact vector is not disclosed, but it is known to be exploitable through typical web-based attacks [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected user. This can lead to full system compromise, including data theft, installation of malware, or further propagation within a network [1][2].
Mitigation
Adobe has released updates to fix the vulnerability: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and Adobe AIR 18.0.0.199. Red Hat and Gentoo have also issued advisories urging immediate upgrades [1][2]. No workarounds are available; users should apply the latest updates promptly.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.491
- (no CPE)range: <18.0.0.232 on Windows and OS X
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securityfocus.com/bid/76288nvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201508-01nvd
News mentions
0No linked articles in our index yet.