VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7636

CVE-2015-7636

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player contains a use-after-free vulnerability that allows arbitrary code execution via unspecified vectors.

Vulnerability

CVE-2015-7636 is a use-after-free vulnerability in Adobe Flash Player affecting versions before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before 11.2.202.535 on Linux, as well as Adobe AIR before 19.0.0.213 and related SDKs [1][2]. The flaw resides in the Flash Player runtime and can be triggered via unspecified vectors, likely involving a crafted SWF file that references freed memory [2].

Exploitation

An attacker would typically host a specially crafted SWF file on a website or inject it into a compromised web page. Then, the victim would need to load that page in a browser with a vulnerable Flash Player [2]. No special authentication or network position beyond delivering the malicious content is required. The exact sequence of steps is not disclosed, but the vulnerability is triggered by the Flash Player processing the crafted content, leading to a use-after-free condition [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected user's browser or application [2]. This could lead to full system compromise, including data theft, installation of malware, or further lateral movement. The impact severity is considered Critical, with CVSS scores indicating high risk [2].

Mitigation

Adobe released fixes for Flash Player version 18.0.0.252 and 19.0.0.207 on Windows and OS X, and version 11.2.202.535 on Linux, as well as updated AIR and SDK versions [1][2]. Red Hat provided updated packages for Enterprise Linux in RHSA-2015:1893 and RHSA-2015:2024, which upgrade Flash Player to version 11.2.202.548 [1][2]. Users should apply the latest updates as soon as possible. There are no known workarounds; disabling Flash Player or using a browser that blocks it can mitigate risk if patching is not immediate [2].

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1893.html
  2. http://rhn.redhat.com/errata/RHSA-2015-2024.html

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: <=19.0.0.213
  • Adobe Inc./Air Sdk2 versions
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: <=19.0.0.213
  • Adobe Inc./Air Sdk \& Compiler
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
    Range: <=19.0.0.190
  • Adobe Inc./Flashplayer2 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.521
    • (no CPE)range: <=18.0.0.252 (Windows/OS X); <=19.0.0.207 (Windows/OS X 19.x); <=11.2.202.535 (Linux)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.