II. Description
If the ASnative(900,1) is invoked with MovieClip instance and getter properties associated with swfRoot where the getter method includes a call to removeMovieClip(), the MovieClip instance is used after it is freed.
IV. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.
It has been assigned by Adobe as CVE-2016-0982
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html