CVE-2015-5566
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux, Adobe AIR before 18.0.0.199, Adobe AIR SDK before 18.0.0.199, and Adobe AIR SDK & Compiler before 18.0.0.199 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5127, CVE-2015-5130, CVE-2015-5134, CVE-2015-5539, CVE-2015-5540, CVE-2015-5550, CVE-2015-5551, CVE-2015-5556, CVE-2015-5557, CVE-2015-5559, CVE-2015-5561, CVE-2015-5563, CVE-2015-5564, and CVE-2015-5565.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player before 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux) contains a use-after-free vulnerability that allows arbitrary code execution.
Vulnerability
CVE-2015-5566 is a use-after-free vulnerability in Adobe Flash Player. It affects versions before 18.0.0.232 on Windows and OS X and before 11.2.202.508 on Linux. Also affected are Adobe AIR, AIR SDK, and AIR SDK & Compiler before version 18.0.0.199. The vulnerability can be triggered via unspecified vectors, making it reachable through malicious Flash content delivered via web pages or email attachments.
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash file, typically through a web browser or document reader that embeds Flash content. No authentication or prior access is required, as the attack can be delivered remotely. The use-after-free condition occurs during memory management operations, allowing the attacker to control program flow.
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the user running Flash. This can lead to full system compromise, including installation of malware, data theft, or further network propagation. The CVSS base score is 9.3 (Critical), reflecting high impact on confidentiality, integrity, and availability.
Mitigation
Adobe released fixed versions as part of the August 2015 security update: Flash Player 18.0.0.232 (Windows/OS X) and 11.2.202.508 (Linux), and AIR 18.0.0.199 [1]. Users should update immediately through automatic update mechanisms or by downloading from Adobe's website. Red Hat provided updates for affected products via RHSA-2015:1603 [1]. Server-side actions such as disabling or removing Flash from browsers are effective workarounds for environments where Flash is not essential.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=18.0.0.180
- (no CPE)range: <18.0.0.199
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.491
- (no CPE)range: <18.0.0.232 (Windows/OS X) / <11.2.202.508 (Linux)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- helpx.adobe.com/security/products/flash-player/apsb15-19.htmlnvdPatchVendor Advisory
- rhn.redhat.com/errata/RHSA-2015-1603.htmlnvd
- www.securitytracker.com/id/1033235nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
News mentions
0No linked articles in our index yet.