VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 18, 2015· Updated May 6, 2026

CVE-2015-7640

CVE-2015-7640

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Flash Player before 18.0.0.252/19.0.0.207 on Windows/OS X and before 11.2.202.535 on Linux allows arbitrary code execution.

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, and before 11.2.202.535 on Linux. The flaw also affects Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 [1]. The bug is triggered via unspecified vectors, indicating a memory handling error where an object reference is not properly cleared after use, leading to a dangling pointer.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file that triggers the use-after-free condition. The victim must load a page containing this SWF content, typically through a web browser or any application embedding the vulnerable Flash Player [2]. No additional authentication or special network position is required; the attack can be performed remotely. The exploitation relies on the attacker controlling the content to induce the memory corruption.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the affected system, with the same privileges as the user running the Flash Player instance [1][2]. This can lead to full compromise of the user's session, including data theft, installation of malware, or further lateral movement within the network. The vulnerability is rated Critical by Red Hat [2] and is actively used in the wild.

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252 and 19.0.0.207 for Windows/OS X, and 11.2.202.535 for Linux. Adobe AIR was updated to 19.0.0.213. Red Hat provided updated flash-plugin packages (version 11.2.202.548) as part of RHSA-2015:2024 [2]. Users should immediately update to the latest versions. No workaround is available; disabling Flash Player or using click-to-play plugins can reduce risk until patching is complete.

References
  1. http://rhn.redhat.com/errata/RHSA-2015-1893.html
  2. http://rhn.redhat.com/errata/RHSA-2015-2024.html

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Adobe Inc./Air2 versions
    cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: < 19.0.0.213
  • Adobe Inc./Air Sdk
    cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
    Range: <=19.0.0.190
  • Adobe Inc./Air Sdk \& Compiler2 versions
    cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.190
    • (no CPE)range: < 19.0.0.213
  • Adobe Inc./Flashplayer
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
    Range: <=11.2.202.521
  • Adobe Inc./Flash Playerllm-fuzzy
    Range: < 18.0.0.252 (Windows/OS X), < 19.0.0.207 (Windows/OS X), < 11.2.202.535 (Linux)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.