CVE-2014-0506
Description
Use-after-free vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to execute arbitrary code, and possibly bypass an Internet Explorer sandbox protection mechanism, via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2014.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Flash Player before patched versions allows remote code execution, demonstrated at Pwn2Own 2014.
Vulnerability
A use-after-free vulnerability exists in Adobe Flash Player before versions 11.7.700.275 and 13.0.0.182 on Windows and OS X, and before 11.2.202.350 on Linux. It also affects Adobe AIR before 13.0.0.83 on Android, and AIR SDK/SDK & Compiler before 13.0.0.83. The flaw is triggered via unspecified vectors involving a specially crafted SWF file [1][2].
Exploitation
An attacker can exploit this remotely by enticing a user to open a malicious SWF file in an affected Flash Player instance. No authentication is required, and the attack does not require any special network position beyond standard web delivery. As demonstrated by VUPEN during the Pwn2Own competition at CanSecWest 2014, the exploit can bypass Internet Explorer sandbox protections [1].
Impact
Successful exploitation leads to arbitrary code execution in the context of the user running the Flash Player. This can result in full compromise of the affected system, including potential privilege escalation and bypass of browser sandbox mechanisms [1][2].
Mitigation
Adobe released fixed versions: Flash Player 11.7.700.275 and 13.0.0.182 for Windows/OS X, 11.2.202.350 for Linux, and AIR 13.0.0.83 for Android. Red Hat provided updates via RHSA-2014:0380 for Red Hat Enterprise Linux [1], Gentoo issued GLSA 201405-04 [2]. Users should update immediately; no workaround is available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- cpe:2.3:a:adobe:flash_player:12.0.0.77:*:*:*:*:*:*:*
- Range: <13.0.0.182 (Windows/OS X) and <11.2.202.350 (Linux)
- Range: <13.0.0.83
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- helpx.adobe.com/security/products/flash-player/apsb14-09.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-04/msg00012.htmlnvd
- lists.opensuse.org/opensuse-updates/2014-04/msg00036.htmlnvd
- lists.opensuse.org/opensuse-updates/2014-04/msg00050.htmlnvd
- rhn.redhat.com/errata/RHSA-2014-0380.htmlnvd
- security.gentoo.org/glsa/glsa-201405-04.xmlnvd
- twitter.com/thezdi/statuses/443886338077495296nvd
- www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/nvd
News mentions
0No linked articles in our index yet.