CVE-2015-7652
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via a crafted gridFitType property value, a different vulnerability than CVE-2015-7651, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Adobe Flash Player's TextField.gridFitType setter allows arbitrary code execution via crafted SWF content.
Vulnerability
A use-after-free vulnerability exists in the TextField.gridFitType property setter of Adobe Flash Player. The bug resides in the ActionScript 2 TextField object; when gridFitType is set to an object whose toString method frees the TextField, the dangling pointer is subsequently reused. This affects Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, before 11.2.202.548 on Linux, and Adobe AIR before 19.0.0.241 [1][2][3]. A proof-of-concept ActionScript 2 snippet shows var o = {toString : func} where func calls removeMovieClip() to free the text field during the property assignment [4].
Exploitation
An attacker must craft a malicious SWF file that triggers the use-after-free. The exploit requires user interaction: the victim must open a malicious page or file hosting the SWF. No special network position is needed beyond standard web delivery. The specific flaw leverages the gridFitType property setter: when gridFitType is assigned an object with a custom toString method, that method can free the TextField object; after the method returns, the setter writes to the freed memory [3][4]. A successful exploit follows the sequence of creating a TextField, assigning an object with a malicious toString to gridFitType, and letting the playback engine execute the freed memory.
Impact
Successful exploitation allows remote code execution in the context of the current process (the Flash Player plugin or standalone player). The attacker gains the ability to execute arbitrary code, potentially leading to full compromise of the affected system [2][3]. The vulnerability is rated Critical (CVSS base score 6.8 [3]) and can lead to information disclosure, file write, or installation of malware.
Mitigation
Adobe released fixed versions: Flash Player 19.0.0.245 (and 18.0.0.261 for earlier 18.x), Linux 11.2.202.548, and Adobe AIR 19.0.0.241. Red Hat issued updated flash-plugin packages (version 11.2.202.548) for Red Hat Enterprise Linux 5 Supplementary [2]. Users should update to the patched versions immediately. No workaround exists; disabling Flash Player in the browser reduces exposure.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: < 19.0.0.241
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=19.0.0.213
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.255
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- (no CPE)range: < 18.0.0.261 on Windows/OS X; < 19.0.0.245 on Windows/OS X; < 11.2.202.548 on Linux
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.548-0.26.1+ 3 more
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-111.1
- (no CPE)range: < 11.2.202.548-111.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- helpx.adobe.com/security/products/flash-player/apsb15-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2015-11/msg00071.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2023.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77533nvd
- www.securitytracker.com/id/1034111nvd
- www.zerodayinitiative.com/advisories/ZDI-15-557nvd
- security.gentoo.org/glsa/201511-02nvd
- www.exploit-db.com/exploits/39020/nvd
News mentions
0No linked articles in our index yet.