CVE-2015-7655
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via crafted actionExtends arguments, a different vulnerability than CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player's actionExtends method allows remote code execution via crafted SWF.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player's actionExtends method. By manipulating arguments to this method, an attacker can cause a dangling pointer to be reused after it has been freed. This affects Flash Player versions before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, before 11.2.202.548 on Linux, and Adobe AIR before 19.0.0.241 [1][2][3].
Exploitation
Exploitation requires user interaction: the victim must visit a malicious web page or open a crafted SWF file. The attacker crafts specific actionExtends arguments to trigger the use-after-free, then leverages the dangling pointer to execute arbitrary code [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the current process (the Flash Player plugin). This can lead to full system compromise, including data disclosure, further malware installation, or denial of service [2][3][4].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.261/19.0.0.245 (Windows/OS X), 11.2.202.548 (Linux), and AIR 19.0.0.241. Red Hat and Gentoo issued updates [1][2][4]. Users should update immediately. No workaround is available [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.540
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- Range: <18.0.0.261, <19.0.0.245, <11.2.202.548
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.548-0.26.1+ 3 more
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-111.1
- (no CPE)range: < 11.2.202.548-111.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- helpx.adobe.com/security/products/flash-player/apsb15-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2015-11/msg00071.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2023.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77533nvd
- www.securitytracker.com/id/1034111nvd
- www.zerodayinitiative.com/advisories/ZDI-15-559nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.