CVE-2015-8649
Description
Use-after-free vulnerability in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-8634, CVE-2015-8635, CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641, CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647, CVE-2015-8648, and CVE-2015-8650.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before versions 18.0.0.324 and 19.x/20.x before 20.0.0.267 on Windows and OS X, before 11.2.202.559 on Linux, as well as in Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233. The flaw can be triggered when processing specially crafted Flash content, leading to memory corruption [1][2].
Exploitation
An attacker can exploit this vulnerability by convincing a user to load a malicious Flash file, typically via a web page or email attachment. No authentication is required, and the attack can be performed remotely. The exact vectors are unspecified but involve improper handling of object references [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the affected Flash process. This can lead to full system compromise, including data disclosure, modification, or denial of service, depending on the privileges of the user [1][2].
Mitigation
Adobe has released fixed versions: Flash Player 20.0.0.267 (Windows/OS X), 11.2.202.559 (Linux), and AIR 20.0.0.233. Red Hat issued an advisory (RHSA-2015:2697) [1], and Gentoo provided a GLSA (201601-03) [2] recommending immediate upgrade. No workarounds are available; users should apply the updates.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <=20.0.0.204
- (no CPE)range: <20.0.0.233
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <=20.0.0.204
- (no CPE)range: <20.0.0.233
- cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*Range: <=20.0.0.204
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=18.0.0.268
- cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*
- (no CPE)range: <18.0.0.324 || >=19.0 <20.0.0.267
- osv-coords6 versionspkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1
< 11.2.202.559-0.32.1+ 5 more
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-0.32.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
- (no CPE)range: < 11.2.202.559-117.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- helpx.adobe.com/security/products/flash-player/apsb16-01.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00045.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00046.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00047.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00048.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-2697.htmlnvd
- www.securityfocus.com/bid/79701nvd
- www.securitytracker.com/id/1034544nvd
- www.zerodayinitiative.com/advisories/ZDI-15-653nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201601-03nvd
News mentions
0No linked articles in our index yet.