CVE-2015-7632
Description
Buffer overflow in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via a Loader object with a crafted loaderBytes property.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in Adobe Flash Player's Loader.loadBytes allows remote attackers to execute arbitrary code via a crafted SWF.
Vulnerability
A buffer overflow vulnerability exists in the Loader object of Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, before 11.2.202.535 on Linux, and in Adobe AIR before 19.0.0.213. The flaw is triggered by manipulating the loaderBytes property of a Loader object with a crafted value, leading to memory corruption [1][3].
Exploitation
An attacker can exploit this vulnerability by convincing a user to visit a malicious web page or open a malicious SWF file. No authentication or special network position is required beyond standard web access. The attack requires user interaction (the victim must load the crafted content). The specific flaw is triggered during the processing of the loaderBytes property, causing a buffer overflow that overwrites adjacent memory [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the current process (the Flash Player plugin or AIR runtime). This can lead to full compromise of the affected system, including data disclosure, modification, or denial of service, with the privileges of the user running the Flash content [3][4].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.252, 19.0.0.207, and 11.2.202.535 (Linux); AIR 19.0.0.213. Red Hat updated flash-plugin to version 11.2.202.548 [2]. Gentoo recommends upgrading to >=www-plugins/adobe-flash-11.2.202.548 [4]. No workaround is available; users must apply the update. The vulnerability is not listed in CISA KEV as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.213
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.213
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=19.0.0.190
- Range: >=0 <18.0.0.252 on Windows/OS X, <19.0.0.207 for 19.x on Windows/OS X, <11.2.202.535 on Linux
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.535-0.20.1+ 3 more
- (no CPE)range: < 11.2.202.535-0.20.1
- (no CPE)range: < 11.2.202.535-0.20.1
- (no CPE)range: < 11.2.202.535-105.1
- (no CPE)range: < 11.2.202.535-105.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- helpx.adobe.com/security/products/flash-player/apsb15-25.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00011.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00012.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00013.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1893.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77062nvd
- www.securitytracker.com/id/1033797nvd
- www.zerodayinitiative.com/advisories/ZDI-15-512nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.