CVE-2015-7644

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player prior to version 18.0.0.252 and 19.x before 19.0.0.207 on Windows and macOS, and before version 11.2.202.535 on Linux. The issue also affects Adobe AIR before 19.0.0.213 and related SDK versions. The flaw is reachable when a victim loads a specially crafted SWF file; no special configuration beyond enabling Flash content is required [1][3].

Exploitation

To exploit this vulnerability, an attacker must lure a victim into opening a malicious SWF file, typically by visiting a compromised website or opening a crafted email attachment. No authentication or special network position is needed beyond the user viewing the content in a browser or other Flash-enabled application. The exploit sequence involves triggering the use-after-free condition via unspecified vectors, leading to memory corruption [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary code within the context of the Flash Player process. Depending on the user's privileges, this can lead to full system compromise, including installation of malware, data exfiltration, or denial of service. The vulnerability is rated as critical (CVSS base score not provided but described as Critical by Red Hat) [1][2].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.252/19.0.0.207 (Windows/macOS) and 11.2.202.535 (Linux), as well as AIR 19.0.0.213. Red Hat provided updates to version 11.2.202.548 for RHEL 5 Supplementary (RHSA-2015:2024) and earlier RHSA-2015:1893 addressed related issues [1][2]. Gentoo users should upgrade to >=www-plugins/adobe-flash-11.2.202.548 [3]. No workarounds are available; users must install the updates to mitigate the risk.