CVE-2015-8639
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, and CVE-2015-8650.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before patched versions allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X, before 11.2.202.559 on Linux, as well as in Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233. The flaw is triggered via unspecified vectors, allowing memory corruption [1][2].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash file (SWF) or visit a malicious web page that loads the vulnerable Flash Player. No authentication or user interaction beyond the initial action is required, and the attack can be launched remotely [1][2].
Impact
Successful exploitation leads to arbitrary code execution in the context of the affected application (browser or standalone player). This can result in full compromise of the user's system, including data theft, installation of malware, or further lateral movement within a network [1][2].
Mitigation
Adobe released fixed versions: Flash Player 20.0.0.267 (and 18.0.0.324 for older branches), AIR 20.0.0.233, and Linux Flash Player 11.2.202.559. Red Hat and Gentoo have issued advisories urging immediate updates [1][2]. Users should apply the latest updates from Adobe or their distribution's package manager. No workaround is available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=20.0.0.204
- (no CPE)range: <20.0.0.233
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=20.0.0.204
- (no CPE)range: <20.0.0.233
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=20.0.0.204
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.554
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*
- (no CPE)range: <=20.0.0.267 (Windows/OS X); <=11.2.202.559 (Linux)
- osv-coords6 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.559-0.32.1+ 5 more
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- helpx.adobe.com/security/products/flash-player/apsb16-01.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00045.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00046.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00047.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00048.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2697.htmlnvd
- www.securityfocus.com/bid/79701nvd
- www.securitytracker.com/id/1034544nvd
- www.zerodayinitiative.com/advisories/ZDI-15-649nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201601-03nvd
News mentions
0No linked articles in our index yet.