VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 12, 2014· Updated May 6, 2026

CVE-2014-0542

CVE-2014-0542

Description

Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Flash Player before 13.0.0.241/14.x before 14.0.0.176 and AIR before 14.0.0.178 on Windows/OS X/Android do not restrict memory address discovery, allowing ASLR bypass via unspecified vectors.

Vulnerability

Adobe Flash Player versions before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X, before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X, before 14.0.0.179 on Android, and Adobe AIR SDK / SDK & Compiler before 14.0.0.178 do not properly restrict the discovery of memory addresses. This flaw allows attackers to bypass the Address Space Layout Randomization (ASLR) protection mechanism through unspecified vectors, as described in the CVE description and Gentoo security advisory [1]. It is distinct from related CVEs: CVE-2014-0540, CVE-2014-0543, CVE-2014-0544, and CVE-2014-0545.

Exploitation

An attacker would need to deliver a crafted SWF file or invoke an unspecified vector that triggers the memory address discovery. No user authentication is required beyond normal interaction with malicious Flash content. The attacker does not need local access; remote exploitation is possible via web pages or other means that load the Flash content. The exact sequence of steps is not detailed in the references, but the vulnerability is exploited by sending a specially crafted file to a vulnerable Flash Player instance [1].

Impact

Successful exploitation allows the attacker to bypass the ASLR security mitigation, exposing memory addresses that can then be leveraged to achieve arbitrary code execution, information disclosure, or denial of service. The attacker gains the privileges of the Flash Player process, which could lead to full system compromise if combined with additional vulnerabilities [1]. The CIA impact is high due to potential for code execution and bypass of a key protection.

Mitigation

Users should upgrade to the fixed versions: Adobe Flash Player 13.0.0.241 or 14.0.0.176 on Windows and OS X, 11.2.202.400 on Linux; Adobe AIR 14.0.0.178 on Windows and OS X, 14.0.0.179 on Android; and corresponding AIR SDK versions. The fixed versions were released on 2014-08-12. The Gentoo advisory recommends upgrading to >=www-plugins/adobe-flash-11.2.202.400 [1]. No workaround is available; applying the update is the only mitigation.

References
  1. Multiple vulnerabilities (GLSA 201408-05) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

47
  • Adobe Inc./Air5 versions
    cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <=14.0.0.137
    • cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:14.0.0.110:*:*:*:*:*:*:*
    • (no CPE)range: <14.0.0.178 (Windows/OS X); <14.0.0.179 (Android)
  • Adobe Inc./Air Sdk5 versions
    cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*range: <=14.0.0.137
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:*:*:*:*:*:*:*
    • (no CPE)range: <14.0.0.178
  • Adobe Inc./Flashplayer36 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 35 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.231
    • cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.378:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
  • GNU/Flash Playerllm-fuzzy
    Range: <13.0.0.241; <14.0.0.176 (Windows/OS X); <11.2.202.400 (Linux)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.