Unrated severityNVD Advisory· Published May 14, 2014· Updated May 6, 2026

CVE-2014-0520

Description

Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0518, and CVE-2014-0519.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player before 13.0.0.214 (Windows/OS X) or 11.2.202.359 (Linux) and AIR SDK before 13.0.0.111 allow bypass of intended access restrictions via unspecified vectors.

Vulnerability

This vulnerability affects Adobe Flash Player versions before 13.0.0.214 on Windows and OS X, and before 11.2.202.359 on Linux, as well as Adobe AIR SDK and SDK & Compiler versions before 13.0.0.111. The flaw allows attackers to bypass intended access restrictions via unspecified vectors. [1][2]

Exploitation

Exploitation requires an attacker to serve a crafted Flash (SWF) file to a victim. The attack can be delivered through web pages, email attachments, or other means that trigger the Flash Player. The exact sequence of steps is not disclosed in the available references, but the vulnerability is described as allowing bypass of access restrictions without needing authentication or special privileges. [1][2]

Impact

Successful exploitation enables an attacker to bypass security restrictions that are normally enforced by the Flash Player sandbox or cross-domain policies. This could lead to unauthorized access to sensitive data, such as reading files or communicating with domains that would otherwise be restricted, potentially leading to further compromise. [1][2]

Mitigation

Adobe released updates to fix this vulnerability: Flash Player 13.0.0.214 (Windows/OS X) and 11.2.202.359 (Linux), and AIR SDK 13.0.0.111. Users should upgrade to these versions. Red Hat has released updates via RHSA-2014:0496 for RHEL 5 and 6. Gentoo recommends upgrading to the patched version. There are no known workarounds other than updating. [1][2]

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air
cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*
Range: <13.0.0.111
Adobe Inc./Flashplayer
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Range: >=13.0,<13.0.0.214
GNU/Flash Playerllm-fuzzy
Range: < 13.0.0.214 on Windows/OS X, < 11.2.202.359 on Linux
Adobe Inc./Air Sdkllm-fuzzy
Range: < 13.0.0.111
Adobe Inc./Air Sdk \& Compilerllm-fuzzy
Range: < 13.0.0.111

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb14-14.htmlnvdVendor Advisory
lists.opensuse.org/opensuse-security-announce/2014-05/msg00008.htmlnvdMailing ListThird Party Advisory
lists.opensuse.org/opensuse-updates/2014-05/msg00051.htmlnvdMailing ListThird Party Advisory
rhn.redhat.com/errata/RHSA-2014-0496.htmlnvdThird Party Advisory
security.gentoo.org/glsa/glsa-201406-08.xmlnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000