Unrated severityNVD Advisory· Published Sep 22, 2015· Updated May 6, 2026

CVE-2015-5574

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5570, CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Adobe Flash Player's Color.setTransform method allows arbitrary code execution via crafted SWF.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player's Color.setTransform method. When setTransform is called with a transform object that deletes the TextField it is applied to (e.g., via a custom valueOf function that calls removeTextField), the underlying object is freed while still in use, leading to a use-after-free condition. This affects Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X, before 11.2.202.521 on Linux, as well as Adobe AIR before 19.0.0.190 and related SDKs. The issue was reported by Google Project Zero and a proof-of-concept is publicly available [3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file that triggers the use-after-free. The attacker must convince a user to open the SWF, typically via a web page or email attachment. No authentication or special privileges are required; the user only needs to have a vulnerable Flash Player installed. The proof-of-concept demonstrates the sequence: create a TextField, create a Color object from it, define a transform object with a valueOf method that removes the TextField, and then call setTransform with that transform. The valueOf call during the setTransform operation frees the TextField, but the subsequent use of the freed object causes the use-after-free [3].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the Flash Player. This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within a network. The vulnerability is rated as critical with a CVSS base score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) [1].

Mitigation

Adobe released fixed versions on September 21, 2015: Flash Player 18.0.0.241 and 19.0.0.185 for Windows and OS X, 11.2.202.521 for Linux, and AIR 19.0.0.190. Red Hat issued RHSA-2015:1814 for affected Linux distributions [1], and Gentoo published GLSA 201509-07 [2]. Users should update to the latest versions immediately. No workarounds are available; disabling Flash Player or using a browser with Flash disabled is recommended if updating is not possible.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.143
- (no CPE)range: <19.0.0.190
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=18.0.0.199
- (no CPE)range: <19.0.0.190
Adobe Inc./Air Sdk \& Compiler
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Range: <=18.0.0.180
Adobe Inc./Flashplayer25 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.289
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.191:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.203:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.209:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.232:*:*:*:*:*:*:*
Adobe Inc./Flash Playerllm-fuzzy
Range: <18.0.0.241 || >=19.0.0 <19.0.0.185 (Windows/OS X), <11.2.202.521 (Linux)
osv-coords4 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.521-0.17.1+ 3 more
- (no CPE)range: < 11.2.202.521-0.17.1
- (no CPE)range: < 11.2.202.521-0.17.1
- (no CPE)range: < 11.2.202.521-102.1
- (no CPE)range: < 11.2.202.521-102.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.057
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000