CVE-2015-8646
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8647, CVE-2015-8648, CVE-2015-8649, and CVE-2015-8650.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player allows arbitrary code execution; affects multiple versions across platforms before updates released in December 2015.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player prior to version 18.0.0.324 on Windows and OS X, versions 19.x and 20.x prior to 20.0.0.267, and version 11.2.202.559 on Linux. Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 are also affected [1][2]. The vulnerability can be triggered via unspecified vectors, typically involving crafted SWF content that corrupts object memory [1].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious SWF file on a website or through a drive-by download, requiring only that a user visits the compromised page with an affected Flash Player. No authentication or prior access is needed. The use-after-free condition allows the attacker to manipulate memory and eventually gain control of execution flow [2].
Impact
Successful exploitation results in arbitrary code execution in the context of the browser plugin or standalone Flash Player instance. Depending on user privileges, this can lead to full system compromise, including data theft, installation of malware, and further network propagation [1][2].
Mitigation
Adobe released fixed versions on December 28, 2015: Flash Player 20.0.0.267 (Windows/OS X), 11.2.202.559 (Linux), and AIR 20.0.0.233 [1][2]. Red Hat and Gentoo advisories recommend immediate updates via respective package managers [1][2]. No workaround is available; the only mitigation is applying the latest patches.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=20.0.0.204
- (no CPE)range: before 20.0.0.233
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=20.0.0.204
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.268
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*
- (no CPE)
- osv-coords6 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.559-0.32.1+ 5 more
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- helpx.adobe.com/security/products/flash-player/apsb16-01.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00045.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00046.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00047.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00048.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2697.htmlnvd
- www.securityfocus.com/bid/79701nvd
- www.securitytracker.com/id/1034544nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201601-03nvd
News mentions
0No linked articles in our index yet.