CVE-2015-8042

Vulnerability

CVE-2015-8042 is a use-after-free vulnerability in Adobe Flash Player that exists in the handling of ActionScript 2 (AS2) Sound objects. By calling the loadSound method (a loadSound call), it is possible to trigger a use-after-free condition [3]. The flaw affects Flash Player versions before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, and before 11.2.202.548 on Linux, as well as Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 [1][2][4].

Exploitation

Exploitation requires user interaction: the victim must visit a malicious web page or open a crafted SWF file. The attacker crafts a specially formed SWF that invokes the loadSound method on a Sound object in a way that frees memory while it is still referenced, leading to a use-after-free [3]. No special network position or authentication is necessary beyond delivering the malicious file to the target.

Impact

Successful exploitation allows an attacker to execute arbitrary code under the context of the current process (the Flash Player plugin or standalone player). This can lead to full compromise of the affected system, including potential data disclosure, denial of service, or further code execution [2][3]. The ZDI advisory notes that the CVSS score is 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [3].

Mitigation

Adobe released fixed versions on November 10, 2015: Flash Player 18.0.0.261, 19.0.0.245, and 11.2.202.548, and AIR 19.0.0.241 [1][2][4]. Red Hat provided updated packages (flash-plugin 11.2.202.548) for Red Hat Enterprise Linux 5 and 6 Supplementary through RHSA-2015-2023 and RHSA-2015-2024 [1][2]. Gentoo users should upgrade to >=www-plugins/adobe-flash-11.2.202.548 [4]. There is no known workaround other than applying the updates.