CVE-2014-0492
Description
Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux, Adobe AIR before 4.0.0.1390, Adobe AIR SDK before 4.0.0.1390, and Adobe AIR SDK & Compiler before 4.0.0.1390 allow attackers to defeat the ASLR protection mechanism by leveraging an "address leak."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Flash Player before 12.0.0.38 and AIR before 4.0.0.1390 leak an address, defeating ASLR on affected platforms.
Vulnerability
Adobe Flash Player versions before 11.7.700.260, 11.8.x and 11.9.x before 12.0.0.38 (Windows, Mac OS X), and before 11.2.202.335 (Linux), along with Adobe AIR, AIR SDK, and AIR SDK & Compiler before 4.0.0.1390, contain an address leak that allows attackers to defeat the ASLR protection mechanism [1].
Exploitation
An attacker can exploit this vulnerability by leveraging the address leak to bypass ASLR. The exact attack vector is not detailed in the available references, but the attacker likely needs to lure a user into viewing malicious Flash content [1]. No additional authentication or special network position beyond typical web-based Flash exploitation is required.
Impact
Successful exploitation allows an attacker to defeat ASLR, significantly increasing the reliability of exploits for other vulnerabilities. This bypass enables memory corruption attacks that would otherwise be mitigated by address space layout randomization. The impact is a heightened risk of arbitrary code execution in combination with other Flash Player flaws.
Mitigation
Red Hat Enterprise Linux 5 and 6 users should update to Flash Plugin version 11.2.202.335 released on 2014-01-14 [1]. For other platforms, upgrade to Flash Player 12.0.0.38 (Windows/Mac) or 11.2.202.335 (Linux), and AIR to 4.0.0.1390. As of publication, no workaround other than applying the patch has been disclosed.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <4.0.0.1390
- (no CPE)range: <4.0.0.1390
- Range: <11.7.700.260 on Windows/Mac, <11.2.202.335 on Linux, 11.8.x-11.9.x <12.0.0.38
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- helpx.adobe.com/security/products/flash-player/apsb14-02.htmlnvdPatchVendor Advisory
- lists.opensuse.org/opensuse-security-announce/2014-01/msg00006.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2014-0028.htmlnvdThird Party Advisory
- secunia.com/advisories/56516nvdThird Party Advisory
- secunia.com/advisories/56636nvdThird Party Advisory
- www.securitytracker.com/id/1029602nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.