CVE-2015-7660
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via crafted setMask arguments, a different vulnerability than CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player's setMask method allows remote code execution via crafted SWF.
Vulnerability
This is a use-after-free vulnerability in Adobe Flash Player's setMask method. Affected versions include Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, before 11.2.202.548 on Linux; Adobe AIR before 19.0.0.241; Adobe AIR SDK before 19.0.0.241; and Adobe AIR SDK & Compiler before 19.0.0.241 [1][2][3][4].
Exploitation
An attacker can craft a malicious SWF file that passes manipulated arguments to the setMask method, causing a dangling pointer to be reused after it has been freed. User interaction is required—the victim must visit a malicious page or open the malicious file [3].
Impact
Successful exploitation allows arbitrary code execution in the context of the current process, potentially leading to full system compromise [3][4].
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.261 and 19.0.0.245, AIR 19.0.0.241, and Linux Flash Player 11.2.202.548. Red Hat and Gentoo issued corresponding updates [1][2][4]. No known workaround exists [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <19.0.0.241
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.255
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- Range: <18.0.0.261, <19.0.0.245, <11.2.202.548
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.548-0.26.1+ 3 more
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-111.1
- (no CPE)range: < 11.2.202.548-111.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- helpx.adobe.com/security/products/flash-player/apsb15-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2015-11/msg00071.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2023.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77533nvd
- www.securitytracker.com/id/1034111nvd
- www.zerodayinitiative.com/advisories/ZDI-15-565nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.