CVE-2015-7626

Vulnerability

Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before 11.2.202.535 on Linux, along with Adobe AIR before 19.0.0.213, contain a memory corruption vulnerability triggered via unspecified vectors [1][2][3]. The flaw resides in the Flash Player rendering engine and can be exploited by loading a specially crafted SWF file.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file and hosting it on a website or embedding it in an email. The victim must load the page or open the file in a browser or application that uses Flash Player or AIR. No authentication or user interaction beyond normal browsing is required [2]. The exact exploitation steps are not publicly detailed, but the vulnerability is remotely exploitable.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected process, potentially leading to full system compromise. Alternatively, an attacker could cause a denial of service via memory corruption. Information disclosure is also possible [2]. The impact is rated Critical by Red Hat [2] and affects all supported platforms.

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252 and 19.0.0.207 for Windows/OS X, 11.2.202.535 for Linux, and AIR 19.0.0.213 [1][2][3]. Red Hat provided updated packages to version 11.2.202.548 for Red Hat Enterprise Linux [2]. Gentoo recommends upgrading to >=11.2.202.548 [3]. No workaround is available; users should apply the updates immediately.