Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7638

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free vulnerability in Adobe Flash Player allows arbitrary code execution via unspecified vectors.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before version 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before version 11.2.202.535 on Linux. The issue also affects Adobe AIR before version 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213. The vulnerability can be triggered via unspecified vectors, leading to memory corruption [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file and convincing a user to load it, typically through a web page or email attachment. No authentication is required, but user interaction is necessary to open the malicious content [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the user running the affected Flash Player instance. This can lead to full system compromise, including data theft, installation of malware, or further network propagation [1][2].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252, 19.0.0.207, and 11.2.202.535 for Linux; AIR 19.0.0.213. Red Hat provided updated packages (flash-plugin 11.2.202.548) for Red Hat Enterprise Linux 5 Supplementary [2]. Users should apply the updates immediately. No workaround is available [1][2].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: before 19.0.0.213
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: before 19.0.0.213
Adobe Inc./Air Sdk \& Compiler2 versions
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: before 19.0.0.213
Adobe Inc./Flashplayer
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Range: <=11.2.202.521
GNU/Flash Playerllm-fuzzy
Range: before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb15-25.htmlnvdPatchVendor Advisory
rhn.redhat.com/errata/RHSA-2015-1893.htmlnvd
rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
www.securityfocus.com/bid/77061nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000