There is a use-after-free in URLStream.readObject in Adobe Flash. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
ff1259c633764b7a4794d5334683a4bcf01d89145f1bfec987f03e966c7618a2
Gentoo Linux Security Advisory 201601-3 - Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Versions less than 11.2.202.559 are affected.
b8c52d90e2d0336f1f246283e0e308d85d2986a86017a06c3029d79fbee82b35
Red Hat Security Advisory 2015-2593-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin APSB15-32 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.
d5dc0f9a309ed83f88463eaa694276f2a32498032be2764a6f466014f34f56fc