CVE-2015-8046

Vulnerability

A use-after-free vulnerability exists in Adobe Flash Player's TextField.antiAliasType setter [3]. When the setter is invoked with an object whose toString method frees the TextField instance, the property write occurs on freed memory [3]. This affects Flash Player versions before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X, before 11.2.202.548 on Linux, as well as Adobe AIR before 19.0.0.241, AIR SDK before 19.0.0.241, and AIR SDK & Compiler before 19.0.0.241 [1][2][4].

Exploitation

An attacker must deliver a specially crafted SWF file to a victim [2]. The SWF creates a TextField, sets its antiAliasType to an object with a custom toString method, and within that method removes the TextField (e.g., via removeMovieClip) [3]. After the removal, the setter continues writing to the now-freed memory region, triggering the use-after-free [3]. No additional authentication or privileges are required; the victim only needs to load the malicious SWF in a vulnerable Flash Player instance [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the user running the Flash Player, potentially leading to full system compromise [2][4]. The vulnerability can also cause a denial-of-service condition or sensitive information disclosure [2][4].

Mitigation

Adobe released fixed versions: Flash Player 18.0.0.261 and 19.0.0.245 for Windows/OS X, 11.2.202.548 for Linux, and AIR 19.0.0.241 [1][2][4]. Red Hat and Gentoo have also provided updated packages [1][2][4]. Users should update to these versions immediately; no workaround is available [4].