Unrated severityNVD Advisory· Published Feb 21, 2014· Updated Apr 29, 2026

CVE-2014-0499

Description

Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 do not prevent access to address information, which makes it easier for attackers to bypass the ASLR protection mechanism via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player before fixed versions on Windows, Mac, Linux, and AIR on Android expose address information, weakening ASLR and aiding exploit development.

Vulnerability

Adobe Flash Player versions prior to 11.7.700.269, 12.0.0.70 (Windows/Mac), and 11.2.202.341 (Linux), as well as Adobe AIR 4.0.0.1628 on Android and corresponding SDKs, allow access to address information that aids in bypassing the Address Space Layout Randomization (ASLR) protection mechanism [1][2]. This information leak can be exploited without user interaction beyond opening malicious content.

Exploitation

An attacker can exploit this vulnerability by crafting a specially designed SWF file that, when processed by a vulnerable Flash Player or AIR runtime, leaks memory addresses [2]. The attacker does not require authentication or special network position; the exploitation vector typically involves enticing a user to visit a malicious website or open a crafted SWF file [2]. No user interaction beyond standard browsing is needed if the user's browser loads the file automatically.

Impact

Successful exploitation provides the attacker with address information that weakens ASLR, making it easier to chain with other Flash Player memory corruption vulnerabilities for arbitrary code execution [1][2]. This can lead to full compromise of the affected system, including remote code execution with the privileges of the user running the Flash Player process [2].

Mitigation

Adobe released fixed versions on February 20, 2014: Flash Player 11.7.700.269 and 12.0.0.70 for Windows/Mac, 11.2.202.341 for Linux; AIR 4.0.0.1628 for Android and SDKs [1][2]. Red Hat Enterprise Linux users should apply RHSA-2014:0196 [1]; Gentoo users should upgrade to adobe-flash-11.2.202.356 [2]. There is no known workaround [2].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air2 versions
cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <4.0.0.1628
- (no CPE)range: before 4.0.0.1628 on Android
Adobe Inc./Air Sdk2 versions
cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*range: <4.0.0.1628
- (no CPE)range: before 4.0.0.1628
Adobe Inc./Flashplayer
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Range: >=11.0,<11.7.700.269
Adobe Inc./Flash Playerllm-fuzzy
Range: before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb14-07.htmlnvdPatchVendor Advisory
lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.htmlnvdMailing ListThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.htmlnvdMailing ListThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.htmlnvdMailing ListThird Party Advisory
rhn.redhat.com/errata/RHSA-2014-0196.htmlnvdThird Party Advisory
security.gentoo.org/glsa/glsa-201405-04.xmlnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000