CVE-2015-7643
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via a Video object with a crafted deblocking property, a different vulnerability than CVE-2015-7629, CVE-2015-7631, and CVE-2015-7644.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player use-after-free in Video objects via crafted deblocking property enables remote code execution.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X, before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213. The flaw is triggered by manipulating the deblocking property of a Video object, causing a dangling pointer to be reused after it has been freed [1][2][3].
Exploitation
Exploitation requires user interaction: the victim must visit a malicious web page or open a crafted SWF file. The attacker specifically crafts the deblocking property on a Video object to force a use-after-free condition. No additional authentication or network position is needed beyond the ability to serve the malicious content [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process (the Flash Player plugin or AIR runtime). This can lead to full compromise of the affected system, including unauthorized access, data disclosure, or further malware installation [2][3].
Mitigation
Adobe released fixes in Flash Player 18.0.0.252/19.0.0.207, AIR 19.0.0.213, and Linux Flash Player 11.2.202.535 (later 11.2.202.548). Red Hat shipped updated packages (11.2.202.548) via RHSA-2015:1893 and RHSA-2015:2024 [1][2]. Gentoo advised upgrading to >=11.2.202.548 [4]. Users should apply updates promptly; no workaround exists if unpatched.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.213
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.213
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=19.0.0.190
- Range: <18.0.0.252 and <19.0.0.207
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.535-0.20.1+ 3 more
- (no CPE)range: < 11.2.202.535-0.20.1
- (no CPE)range: < 11.2.202.535-0.20.1
- (no CPE)range: < 11.2.202.535-105.1
- (no CPE)range: < 11.2.202.535-105.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- helpx.adobe.com/security/products/flash-player/apsb15-25.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00011.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00012.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00013.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-10/msg00018.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-1893.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77061nvd
- www.securitytracker.com/id/1033797nvd
- www.zerodayinitiative.com/advisories/ZDI-15-511nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.