CVE-2015-8439
Description
The SharedObject object implementation in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code by leveraging an unspecified "type confusion" during a getRemote call, a different vulnerability than CVE-2015-8456.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player type confusion in SharedObject.getRemote allows remote code execution via crafted SWF file.
Vulnerability
The SharedObject object implementation in Adobe Flash Player contains a type confusion vulnerability during a getRemote call. Affected versions include Flash Player before 18.0.0.268, 19.x and 20.x before 20.0.0.228 on Windows and OS X, and before 11.2.202.554 on Linux; Adobe AIR before 20.0.0.204; Adobe AIR SDK before 20.0.0.204; and Adobe AIR SDK & Compiler before 20.0.0.204. [1][2]
Exploitation
Remote attackers can trigger the type confusion by convincing a user to visit a malicious webpage or open a malicious SWF file. User interaction is required. The specific flaw exists in the getRemote method of SharedObject objects, leading to the type confusion. [1]
Impact
Successful exploitation allows arbitrary code execution in the context of the current user process. The CVSS score is 6.8 (medium). [1][2]
Mitigation
Adobe released fixed versions: Flash Player 18.0.0.268, 20.0.0.228, and 11.2.202.559 (Linux); AIR 20.0.0.204. Users should update to these versions. No workaround is available. [1][2]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=19.0.0.241
- (no CPE)range: <20.0.0.204
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=19.0.0.241
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.261
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- Range: <18.0.0.268 and >=19.0 <20.0.0.228 (Windows/OS X); <11.2.202.554 (Linux)
- osv-coords6 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.554-0.29.1+ 5 more
- (no CPE)range: < 11.2.202.554-0.29.1
- (no CPE)range: < 11.2.202.554-0.29.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
- (no CPE)range: < 11.2.202.554-114.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- helpx.adobe.com/security/products/flash-player/apsb15-32.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00007.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00008.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00012.htmlnvd
- www.securityfocus.com/bid/78714nvd
- www.securitytracker.com/id/1034318nvd
- zerodayinitiative.com/advisories/ZDI-15-606nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201601-03nvd
News mentions
0No linked articles in our index yet.