CVE-2015-7663
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player allows arbitrary code execution via malicious SWF files.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, and before 11.2.202.548 on Linux, as well as in Adobe AIR before 19.0.0.241. The flaw is triggered via unspecified vectors, potentially through specially crafted SWF content [1][2].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a malicious SWF file, either by hosting it on a website or embedding it in an email. No authentication is required, and the attack can be performed remotely. The exact exploitation steps are not publicly disclosed [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the affected user's browser or Flash Player instance. This could lead to full system compromise, including data theft or installation of malware. The vulnerability is rated critical [1][2].
Mitigation
Adobe has released fixed versions: Flash Player 18.0.0.261, 19.0.0.245, and 11.2.202.548; AIR 19.0.0.241. Users should update immediately. Red Hat has provided updated packages for Red Hat Enterprise Linux 5 Supplementary, and Gentoo has issued a GLSA recommending upgrade [1][2][3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <=19.0.0.240
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.213
- (no CPE)range: <=19.0.0.240
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.255
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- (no CPE)range: <=19.0.0.244 on Windows/OS X; <=18.0.0.260 on Windows/OS X; <=11.2.202.547 on Linux
- osv-coords4 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.548-0.26.1+ 3 more
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-0.26.1
- (no CPE)range: < 11.2.202.548-111.1
- (no CPE)range: < 11.2.202.548-111.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- helpx.adobe.com/security/products/flash-player/apsb15-28.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2015-11/msg00071.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2023.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2024.htmlnvd
- www.securityfocus.com/bid/77533nvd
- www.securitytracker.com/id/1034111nvd
- security.gentoo.org/glsa/201511-02nvd
News mentions
0No linked articles in our index yet.