CVE-2013-0649
Description
Use-after-free vulnerability in Adobe Flash Player before 10.3.183.63 and 11.x before 11.6.602.168 on Windows, before 10.3.183.61 and 11.x before 11.6.602.167 on Mac OS X, before 10.3.183.61 and 11.x before 11.2.202.270 on Linux, before 11.1.111.43 on Android 2.x and 3.x, and before 11.1.115.47 on Android 4.x; Adobe AIR before 3.6.0.597; and Adobe AIR SDK before 3.6.0.599 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0644 and CVE-2013-1374.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Adobe Flash Player before 10.3.183.63/11.6.602.168 and AIR before 3.6.0.597 allows remote code execution via unspecified vectors.
Vulnerability
CVE-2013-0649 is a use-after-free vulnerability in Adobe Flash Player and AIR. The flaw exists in Flash Player versions before 10.3.183.63 and 11.x before 11.6.602.168 on Windows, before 10.3.183.61 and 11.x before 11.6.602.167 on Mac OS X, before 10.3.183.61 and 11.x before 11.2.202.270 on Linux, before 11.1.111.43 on Android 2.x and 3.x, and before 11.1.115.47 on Android 4.x. Adobe AIR before 3.6.0.597 and AIR SDK before 3.6.0.599 are also affected [1][2]. The vulnerability can be triggered via unspecified vectors, likely involving malformed SWF content that causes a dangling pointer [2].
Exploitation
Exploitation requires an attacker to convince a user to visit a malicious web page or open a crafted SWF file. No authentication or special network position is needed; the attacker is remote and unauthenticated [2]. The user must interact by viewing the content in a browser or application that uses the affected Flash Player or AIR runtime. The exact sequence of steps is not publicly detailed, but the use-after-free condition is triggered during memory handling.
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the affected Flash Player or AIR process [1][2]. This can lead to full system compromise, including unauthorized access to files, data disclosure, and denial of service. The attacker gains the privileges of the user running the vulnerable software, which may be administrative if the user has elevated rights.
Mitigation
Adobe released fixes in Flash Player 10.3.183.63/11.6.602.168 (Windows), 10.3.183.61/11.6.602.167 (Mac), 10.3.183.61/11.2.202.270 (Linux), 11.1.111.43 (Android 2.x/3.x), 11.1.115.47 (Android 4.x), AIR 3.6.0.597, and AIR SDK 3.6.0.599 [1][2]. Users should update to these versions immediately. Red Hat Enterprise Linux users can apply RHSA-2013:0254 [1]. No workarounds are documented; disabling Flash Player in the browser is a general preventive measure. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*range: <3.6.0.597
- (no CPE)range: <=3.6.0.597
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*range: <3.6.0.599
- (no CPE)range: <=3.6.0.599
- Range: before 10.3.183.63 and 11.x before 11.6.602.168
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2013-02/msg00009.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2013-02/msg00010.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2013-02/msg00011.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2013-0254.htmlnvdThird Party Advisory
- www.adobe.com/support/security/bulletins/apsb13-05.htmlnvdVendor Advisory
- www.us-cert.gov/cas/techalerts/TA13-043A.htmlnvdThird Party AdvisoryUS Government Resource
News mentions
0No linked articles in our index yet.