CVE-2015-5565
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5557, CVE-2015-5559, CVE-2015-5561, CVE-2015-5563, and CVE-2015-5564.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before 18.0.0.232 (Windows/OS X) or 11.2.202.508 (Linux) and AIR before 18.0.0.199 allows remote code execution.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player version 18.0.0.232 and earlier on Windows and OS X, version 11.2.202.508 and earlier on Linux, as well as Adobe AIR, AIR SDK, and AIR SDK & Compiler versions 18.0.0.199 and earlier. The flaw is triggered via unspecified vectors, allowing an attacker to corrupt memory after an object has been freed [1]. This vulnerability is distinct from other similar CVEs listed in the advisory.
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash file, typically delivered through a web page or email. No additional authentication or privileges are required beyond the user accessing the malicious content. The exact method of exploitation is not publicly detailed, but it involves memory manipulation after the use-after-free condition is triggered.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the affected system. The attacker can gain the same privileges as the current user, potentially leading to full system compromise, including data theft, installation of malware, or further lateral movement within a network.
Mitigation
Adobe has released fixed versions: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199 [1]. Users should update immediately. For systems where patching is not possible, consider disabling or uninstalling Flash Player, or using browser controls to block Flash content. Red Hat Enterprise Linux users can refer to RHSA-2015:1603 for updated packages.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.491
- (no CPE)range: <18.0.0.232 on Windows/OS X, <11.2.202.508 on Linux
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securityfocus.com/bid/76288nvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
News mentions
0No linked articles in our index yet.