CVE-2015-6677
Description
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5575, CVE-2015-5577, CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, and CVE-2015-5588.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player before 18.0.0.241, 19.x before 19.0.0.185, and 11.2.202.521 on Linux allows remote code execution or denial of service via memory corruption.
Vulnerability
Adobe Flash Player before version 18.0.0.241 and 19.x before 19.0.0.185 on Windows and macOS, and before 11.2.202.521 on Linux, as well as Adobe AIR before 19.0.0.190 and related SDKs, contain a memory corruption vulnerability [1][2]. The issue is triggered by unspecified vectors, enabling remote arbitrary code execution or denial of service [1][2]. This CVE is distinct from several other Flash Player CVEs of the same period [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious SWF file or other Flash content and delivering it to a target user via a web browser or other application that hosts Flash Player [1][2]. No additional authentication is required beyond convincing the user to open the malicious content, typically through a compromised website or phishing email [1][2]. The exploitation does not require the attacker to have local access or special privileges.
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected user or cause a denial of service through memory corruption [1][2]. This could lead to full system compromise, including data theft, installation of malware, or disruption of system availability [1][2]. The scope of impact depends on the user’s permissions, but code execution is achieved with user-level rights.
Mitigation
Adobe released updates to address this vulnerability: Flash Player 18.0.0.241 and 19.0.0.185 (Windows/macOS), Flash Player 11.2.202.521 (Linux), and AIR 19.0.0.190 [1][2]. Users should upgrade immediately to these or later versions [1][2]. Red Hat and Gentoo have also issued advisories recommending the updated packages [1][2]. There is no known workaround besides upgrading [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
35cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=18.0.0.199
- (no CPE)range: <19.0.0.190
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=18.0.0.180
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.508
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.190:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:17.0.0.191:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.160:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.203:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.209:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:18.0.0.232:*:*:*:*:*:*:*
- Range: <18.0.0.241, <19.0.0.185, <11.2.202.521
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.521-0.17.1+ 3 more
- (no CPE)range: < 11.2.202.521-0.17.1
- (no CPE)range: < 11.2.202.521-0.17.1
- (no CPE)range: < 11.2.202.521-102.1
- (no CPE)range: < 11.2.202.521-102.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- helpx.adobe.com/security/products/flash-player/apsb15-23.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-09/msg00022.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-09/msg00023.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-09/msg00024.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1814.htmlnvd
- www.securityfocus.com/bid/76799nvd
- www.securitytracker.com/id/1033629nvd
- h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201509-07nvd
News mentions
0No linked articles in our index yet.