I. Summary
There’s a UAF Vulnerability in the PCRE engine version used in Flash that could lead to Remote Code Execution.
II. Affected
Adobe Flash Player 11.5.502.135 ~ 20.0.0.286
III. Reference
Identified as CVE-2016-4121, and reported to Adobe directly.
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
Original report with an exploit demo which will pop up a calculator works well on fp_11.5.502.135 ~ fp_18.0.0.209 shows how to achieve Remote Code Execution.
IV. Credit
bee13oy of CloverSec Labs