CVE-2015-8416
Description
Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-8045, CVE-2015-8047, CVE-2015-8060, CVE-2015-8408, CVE-2015-8417, CVE-2015-8418, CVE-2015-8419, CVE-2015-8443, CVE-2015-8444, CVE-2015-8451, and CVE-2015-8455.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player's TextBlock.releaseLineCreationData allows remote code execution via crafted SWF content.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player's TextBlock object when the releaseLineCreationData method is called. This flaw allows an attacker to force a dangling pointer to be reused after it has been freed. Affected versions include Adobe Flash Player before 18.0.0.268 and 19.x through 20.x before 20.0.0.228 on Windows and OS X, before 11.2.202.554 on Linux, as well as Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 [1].
Exploitation
An attacker can exploit this vulnerability by convincing a user to visit a malicious web page or open a malicious file containing crafted SWF content. No authentication is required, and the attack can be launched remotely. The specific flaw is triggered by calling releaseLineCreationData on a TextBlock object, which leads to a use-after-free condition that can be leveraged for arbitrary code execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current process (typically the web browser or Flash plugin). This can lead to full system compromise, including data theft, installation of malware, or denial of service. The CVSS score is 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) [1].
Mitigation
Adobe released fixes in Flash Player 20.0.0.228 (and corresponding updates for earlier branches) and AIR 20.0.0.204. Gentoo Linux users should upgrade to >=www-plugins/adobe-flash-11.2.202.559 [2]. No workaround is available. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.548
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- Range: <=18.0.0.268, 19.x-20.x <20.0.0.228, <=11.2.202.554
- osv-coords6 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.554-0.29.1+ 5 more
- (no CPE)range: < 11.2.202.554-0.29.1
- (no CPE)range: < 11.2.202.554-0.29.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- helpx.adobe.com/security/products/flash-player/apsb15-32.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00007.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00008.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00012.htmlnvd
- www.securityfocus.com/bid/78710nvd
- www.securitytracker.com/id/1034318nvd
- www.zerodayinitiative.com/advisories/ZDI-15-666nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201601-03nvd
News mentions
0No linked articles in our index yet.