CVE-2015-7658
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via crafted actionInstanceOf arguments, a different vulnerability than CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free vulnerability in Adobe Flash Player allows remote code execution via crafted actionInstanceOf arguments.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, and before 11.2.202.548 on Linux, as well as in Adobe AIR before 19.0.0.241 [2][3]. The flaw resides in the actionInstanceOf opcode when processing crafted arguments, leading to a dangling pointer that can be reused after being freed [3].
Exploitation
Exploitation requires user interaction, such as visiting a malicious webpage or opening a crafted SWF file [3]. The attacker manipulates the arguments passed to the actionInstanceOf opcode to trigger a use-after-free condition, which can be leveraged to execute arbitrary code [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process, potentially leading to full system compromise [2][3].
Mitigation
Adobe released updates for Flash Player (18.0.0.261/19.0.0.245 on Windows and OS X, 11.2.202.548 on Linux) and AIR (19.0.0.241) [2][4]. Red Hat issued RHSA-2015-2024 to update the flash-plugin package [2]. Gentoo recommends upgrading to >=www-plugins/adobe-flash-11.2.202.548 [4]. No workaround is available [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.190
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.540
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- Range: <18.0.0.261 and <19.0.0.245 (Windows/OS X), <11.2.202.548 (Linux)
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.548-0.26.1+ 3 more
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-111.1
- (no CPE)range: < 11.2.202.548-111.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- helpx.adobe.com/security/products/flash-player/apsb15-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2015-11/msg00071.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2023.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77533nvd
- www.securitytracker.com/id/1034111nvd
- www.zerodayinitiative.com/advisories/ZDI-15-562nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.