CVE-2013-0644
Description
Use-after-free vulnerability in Adobe Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on Windows, before 10.3.183.61 and 11.x before 11.6.602.167 on Mac OS X, before 10.3.183.61 and 11.x before 11.2.202.270 on Linux, before 11.1.111.43 on Android 2.x and 3.x, and before 11.1.115.47 on Android 4.x; Adobe AIR before 3.6.0.597; and Adobe AIR SDK before 3.6.0.599 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0649 and CVE-2013-1374.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player and AIR allows remote code execution; affects multiple platforms before specified versions.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player and Adobe AIR. The flaw resides in the handling of unspecified vectors, leading to memory corruption. Affected versions include Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on Windows, before 10.3.183.61 and 11.x before 11.6.602.167 on Mac OS X, before 10.3.183.61 and 11.x before 11.2.202.270 on Linux, before 11.1.111.43 on Android 2.x and 3.x, and before 11.1.115.47 on Android 4.x. Also affected are Adobe AIR before 3.6.0.597 and Adobe AIR SDK before 3.6.0.599 [1][2].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted Flash (SWF) file, typically via a web page or email attachment. No authentication is required, and the attacker does not need any special network position beyond delivering the malicious content. The exact exploitation steps are not publicly detailed, but the use-after-free condition can be triggered through crafted actions in the Flash content [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the affected system. This can lead to full compromise of the user's machine, including data theft, installation of malware, or further network propagation. The impact is rated as critical, with the potential for remote code execution at the privilege level of the current user [1][2].
Mitigation
Adobe has released updates to address this vulnerability. Users should upgrade to the following fixed versions: Flash Player 10.3.183.63 or 11.6.602.168 (Windows), 10.3.183.61 or 11.6.602.167 (Mac), 10.3.183.61 or 11.2.202.270 (Linux), 11.1.111.43 (Android 2.x/3.x), 11.1.115.47 (Android 4.x); AIR 3.6.0.597; AIR SDK 3.6.0.599. Red Hat provided updates via RHSA-2013-0254 [1]. US-CERT also issued an advisory recommending updates [2]. No workarounds are documented; updating is the recommended action.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <3.6.0.597
- (no CPE)range: before 3.6.0.597
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <3.6.0.599
- (no CPE)range: before 3.6.0.599
- Range: before 10.3.183.63 and 11.x before 11.6.602.168 on Windows, before 10.3.183.61 and 11.x before 11.6.602.167 on Mac OS X, before 10.3.183.61 and 11.x before 11.2.202.270 on Linux, before 11.1.111.43 on Android 2.x and 3.x, and before 11.1.115.47 on Android 4.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2013-02/msg00009.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2013-02/msg00010.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2013-02/msg00011.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2013-0254.htmlnvdThird Party Advisory
- www.adobe.com/support/security/bulletins/apsb13-05.htmlnvdVendor Advisory
- www.us-cert.gov/cas/techalerts/TA13-043A.htmlnvdThird Party AdvisoryUS Government Resource
News mentions
0No linked articles in our index yet.