VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 9, 2014· Updated May 6, 2026

CVE-2014-0539

CVE-2014-0539

Description

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0537.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player and AIR before specific versions allow attackers to bypass access restrictions via unspecified vectors.

Vulnerability

CVE-2014-0539 is an unspecified access restriction bypass vulnerability in Adobe Flash Player and Adobe AIR. Affected versions include Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X, before 11.2.202.394 on Linux; Adobe AIR before 14.0.0.137 on Android; and Adobe AIR SDK and AIR SDK & Compiler before 14.0.0.137 [1][2][3]. The vulnerability allows attackers to bypass intended security restrictions, though the exact mechanism is not disclosed.

Exploitation

An attacker can exploit this vulnerability by delivering a crafted SWF file to a user, typically via a web page or email. No authentication or special network position is required; the attacker only needs to convince the user to load the malicious content in an affected Flash Player or AIR runtime [1][2]. The exploitation vector is remote and does not require user interaction beyond normal browsing.

Impact

Successful exploitation allows the attacker to bypass security restrictions, potentially leading to unauthorized access to sensitive information or system resources. While the vulnerability itself is a bypass, it could be chained with other flaws to achieve arbitrary code execution or data exfiltration [3]. The impact is limited to the context of the Flash Player sandbox, but could be escalated depending on the environment.

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.231, 14.0.0.145, and 11.2.202.394; AIR 14.0.0.137; and corresponding SDK updates [1][2]. Red Hat provided updates via RHSA-2014:0860 for RHEL [1], and Gentoo issued GLSA 201407-02 [3]. Users should update to the latest versions immediately. No workarounds are available.

References
  1. http://rhn.redhat.com/errata/RHSA-2014-0860.html
  2. About Secunia Research | Flexera
  3. Multiple vulnerabilities (GLSA 201407-02) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41
  • Adobe Inc./Air4 versions
    cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <=14.0.0.110
    • cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*
    • (no CPE)range: < 14.0.0.137
  • Adobe Inc./Air Sdk3 versions
    cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*range: <=14.0.0.110
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*
  • Adobe Inc./Flashplayer34 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 33 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.378
    • cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • (no CPE)range: < 13.0.0.231, 14.x < 14.0.0.145, Linux < 11.2.202.394

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.