Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7639

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in Adobe Flash Player before 18.0.0.252/19.0.0.207 or 11.2.202.535 on Linux allows arbitrary code execution via a crafted SWF file.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before 11.2.202.535 on Linux, as well as in Adobe AIR before 19.0.0.213 and related SDKs [1][2]. The flaw is triggered when processing a specially crafted SWF file, leading to memory corruption [2]. The official description indicates this is one of many similar issues addressed in the same update [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a victim to open a malicious SWF file, typically via a web page or email attachment [2]. No additional authentication or network position beyond user interaction is required; the attacker only needs to host the crafted file and have the victim load it in a browser with an affected Flash Player instance [2]. The exploitation vector is remote and does not require any special privileges prior to the attack.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the affected Flash Player process [1][2]. This can lead to full system compromise, including installation of malware, data theft, or further lateral movement within a network. The severity is rated Critical, with a CVSS score reflecting the potential for complete confidentiality, integrity, and availability impact [2].

Mitigation

Adobe released fixes in Flash Player 18.0.0.252 and 19.0.0.207 (Windows/OS X), Flash Player 11.2.202.548 (Linux), and AIR 19.0.0.213 on October 13, 2015 [1][2]. Red Hat provided updated packages in RHSA-2015:1893 and RHSA-2015:2024 [1][2]. Users should apply the update immediately. There are no known workarounds other than disabling Flash until patched.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.213
Adobe Inc./Air Sdk
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
Range: <=19.0.0.190
Adobe Inc./Air Sdk \& Compiler
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Range: <=19.0.0.190
Adobe Inc./Flashplayer
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Range: <=19.0.0.185
Adobe Inc./Flash Playerllm-fuzzy
Range: <18.0.0.252 | 19.x <19.0.0.207 | Linux <11.2.202.535

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb15-25.htmlnvdPatchVendor Advisory
rhn.redhat.com/errata/RHSA-2015-1893.htmlnvd
rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
www.securityfocus.com/bid/77061nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000