II. Description
If the ASnative(900,1) is invoked with TextField instance and getter properties associated with swfRoot where the getter method includes a call to removeTextField(), the TextField instance is used after it is freed.
IV. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.
It has been assigned by Adobe as CVE-2016-0983
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html