CVE-2015-7651

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player's handling of ActionScript 2 (AS2) DefineFunction atoms. The flaw affects Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and macOS, before 11.2.202.548 on Linux, as well as Adobe AIR before 19.0.0.241. By crafting a malicious SWF file with custom AS2 DefineFunction atoms, an attacker can trigger an invalid free condition, leading to memory corruption [1][3].

Exploitation

An attacker must persuade the target to visit a malicious web page or open a crafted SWF file (user interaction is required). No additional authentication or network position is needed beyond standard web access. The crafted SWF file forces an invalid free when Flash processes the specially formed DefineFunction atoms, which subsequently leads to a use-after-free [3].

Impact

Successful exploitation allows the attacker to execute arbitrary code within the context of the Flash Player process. On Red Hat Enterprise Linux, the advisory states the vulnerability could allow an attacker to cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loads a page containing the malicious SWF content [2]. The attacker gains the same privileges as the user running the browser or Flash application.

Mitigation

Adobe released fixes in Flash Player 18.0.0.261, 19.0.0.245 (Windows/macOS), 11.2.202.548 (Linux), and Adobe AIR 19.0.0.241. Red Hat issued RHSA-2015:2023 and RHSA-2015:2024 to update flash-plugin to version 11.2.202.548 on Red Hat Enterprise Linux 5 and 6 Supplementary [1][2]. Gentoo provided GLSA 201511-02 [4]. No workaround exists; users must apply the update. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.