VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7637

CVE-2015-7637

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free vulnerability in Adobe Flash Player allows remote code execution via a crafted SWF file.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player affecting versions before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, before 11.2.202.535 on Linux, as well as Adobe AIR, AIR SDK, and AIR SDK & Compiler before 19.0.0.213. The flaw is triggered when the Flash Player processes a specially crafted SWF file, leading to a use-after-free condition that can be exploited for arbitrary code execution. [2]

Exploitation

An attacker can exploit this vulnerability by convincing a user to load a malicious SWF file, typically via a web page or email attachment. No authentication is required; the attacker only needs to deliver the crafted SWF content to the victim's browser or application that uses Flash Player. The use-after-free occurs during the processing of the SWF file's actions or rendering, allowing the attacker to control the freed memory. [2]

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the user running the Flash Player. This can lead to full system compromise, including the installation of malware, data theft, or further propagation. Additionally, the vulnerability may also be used to cause a denial of service (crash) or disclose sensitive information. The severity is rated as Critical by Adobe and Red Hat. [2]

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252 and 19.0.0.207 for Windows/OS X, 11.2.202.535 for Linux, and AIR 19.0.0.213. Red Hat provided an updated flash-plugin package to version 11.2.202.548 for Red Hat Enterprise Linux 5 Supplementary. Users should update to these versions immediately. [1][2]

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1893.html
  2. http://rhn.redhat.com/errata/RHSA-2015-2024.html

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Adobe Inc./Flashplayerinferred2 versions
    <18.0.0.252 OR >=19.0.0,<19.0.0.207+ 1 more
    • (no CPE)range: <18.0.0.252 OR >=19.0.0,<19.0.0.207
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.521
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: <19.0.0.213
  • Adobe Inc./Air Sdk
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
    Range: <=19.0.0.190
  • Adobe Inc./Air Sdk \& Compiler2 versions
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: <19.0.0.213
  • GNU/Flash Playerllm-fuzzy
    Range: <18.0.0.252, <19.0.0.207, <11.2.202.535

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.