Flash suffers from a broker-based sandbox escape.
989036efd58bbccc9c007b2a7121bd6ba170455cc7d74bc71d5f4bbe336962f7
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.
4a8cd33a5f101e483a330b62c04d5e4cf5d733d46fdcb20efda5eb7f32e33f84
Gentoo Linux Security Advisory 201505-2 - Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Versions less than 11.2.202.460 are affected.
f663dc1cfad1b619dc5d05e5d0d9e4af9c891c5a188d77bfad0c62379107bdfb