Unrated severityNVD Advisory· Published Dec 8, 2008· Updated Apr 23, 2026

CVE-2008-5363

Description

The ActionScript 2 virtual machine in Adobe Flash Player 10.x before 10.0.12.36 and 9.x before 9.0.151.0, and Adobe AIR before 1.5, does not validate character elements during retrieval from the dictionary data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF file.

Affected products

Adobe Inc./Air
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
Range: <1.5
Adobe Inc./Flashplayer
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Range: >=9.0.16.0,<9.0.151.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.adobe.com/support/security/bulletins/apsb08-22.htmlnvdPatchVendor Advisory
secunia.com/advisories/33390nvdThird Party Advisory
secunia.com/advisories/34226nvdThird Party Advisory
security.gentoo.org/glsa/glsa-200903-23.xmlnvdThird Party Advisory
securityreason.com/securityalert/4692nvdThird Party Advisory
support.avaya.com/elmodocs2/security/ASA-2009-020.htmnvdThird Party Advisory
www.isecpartners.com/advisories/2008-01-flash.txtnvdThird Party Advisory
www.securityfocus.com/archive/1/498561/100/0/threadednvdThird Party AdvisoryVDB Entry
sunsolve.sun.com/search/document.donvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000