CVE-2015-8044

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, and before 11.2.202.548 on Linux. The same issue affects Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241. The flaw is triggered by unspecified vectors, indicating a memory management error that can be exploited through crafted SWF content [1][2][3].

Exploitation

An attacker can exploit this vulnerability by delivering a specially crafted SWF file to the victim. The attacker does not need prior authentication, only the ability to serve the malicious file via a website or other means. When the victim loads the SWF content in a vulnerable Flash Player instance, the use-after-free condition is triggered, allowing the attacker to hijack execution flow [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the affected user process. This can lead to full system compromise, including installation of malware, data exfiltration, or further lateral movement within the victim's environment. The impact is rated Critical due to the lack of user interaction beyond loading content [2][3].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.261 / 19.0.0.245 (Windows and OS X), 11.2.202.548 (Linux), and AIR 19.0.0.241 as of November 2015. Linux distributions such as Red Hat and Gentoo provided updates via RHSA-2015:2023, RHSA-2015:2024, and GLSA 201511-02. No workaround is available; users must update to patched versions [1][2][3].