VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7635

CVE-2015-7635

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252/19.0.0.207 (Windows/OS X) and 11.2.202.535 (Linux) allows remote attackers to execute arbitrary code via a crafted SWF file.

Vulnerability

CVE-2015-7635 is a use-after-free vulnerability in Adobe Flash Player affecting versions before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before 11.2.202.535 on Linux. It also affects Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213. The specific code path and object type involved are not disclosed in available references [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a victim to visit a web page containing a specially crafted SWF file (e.g., via a malicious website or an ad network). No authentication or additional privileges are required; the victim merely needs to load the malicious SWF content in a browser with an affected Flash Player version. The exact attack vector is unspecified in the references [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system, potentially leading to full system compromise. The attacker gains the same privileges as the current user, which could include access to sensitive data, installation of malware, or further network propagation. The CVSS score is critical, and the vulnerability is part of a cluster of similar use-after-free issues fixed in the same update [1][2].

Mitigation

Adobe released fixed versions on October 13, 2015: Flash Player 18.0.0.252 and 19.0.0.207 for Windows/OS X, and 11.2.202.535 for Linux; AIR 19.0.0.213 for all affected platforms. Red Hat released updated packages (flash-plugin 11.2.202.548) as part of RHSA-2015:2024 [2]. Users should update to the latest versions. If patching is not immediately possible, disabling or restricting Flash Player usage in the browser (e.g., via click-to-play settings) is a recommended workaround.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1893.html
  2. http://rhn.redhat.com/errata/RHSA-2015-2024.html

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: < 19.0.0.213
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: < 19.0.0.213
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=19.0.0.190
  • Adobe Inc./Flashplayer
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
    Range: <=19.0.0.185
  • GNU/Flash Playerllm-fuzzy
    Range: < 18.0.0.252 (Windows/OS X) or < 19.0.0.207 (19.x) or < 11.2.202.535 (Linux)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.