Unrated severityNVD Advisory· Published Aug 12, 2014· Updated May 6, 2026

CVE-2014-0545

Description

Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X and before 11.2.202.400 on Linux, Adobe AIR before 14.0.0.178 on Windows and OS X and before 14.0.0.179 on Android, Adobe AIR SDK before 14.0.0.178, and Adobe AIR SDK & Compiler before 14.0.0.178 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, and CVE-2014-0544.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player fails to restrict memory address discovery, allowing attackers to bypass ASLR and facilitate further exploitation.

Vulnerability

Adobe Flash Player before 13.0.0.241 and 14.x before 14.0.0.176 on Windows and OS X, before 11.2.202.400 on Linux, and corresponding Adobe AIR versions, improperly restrict discovery of memory addresses. This vulnerability allows an attacker to bypass the Address Space Layout Randomization (ASLR) protection mechanism via unspecified vectors [1].

Exploitation

An attacker can exploit this vulnerability by delivering a crafted SWF file or other flash content to the target system. The specific vectors are not disclosed, but the vulnerability can be triggered without requiring authentication or user interaction beyond loading the malicious content. The root cause is a failure to properly sanitize memory address information, enabling the attacker to determine memory layouts.

Impact

Successful exploitation bypasses ASLR, a key security mitigation. This significantly increases the reliability of exploiting other vulnerabilities, potentially leading to arbitrary code execution within the context of the affected application. The overall impact includes possible remote code execution, as indicated in referenced advisories [1].

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.241, 14.0.0.176, and 11.2.202.400; Adobe AIR 14.0.0.178; and corresponding SDK versions. Users should update immediately. No workaround is available, and the vulnerability is exploitable remotely without authentication. Gentoo Linux recommends upgrading to the latest ebuild [1].

References

Multiple vulnerabilities (GLSA 201408-05) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Air5 versions
cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <=14.0.0.110
- cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air:14.0.0.110:*:*:*:*:*:*:*
- (no CPE)range: <14.0.0.178 on Windows/OS X, <14.0.0.179 on Android
Adobe Inc./Air Sdk5 versions
cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*range: <=14.0.0.137
- cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:*:*:*:*:*:*:*
- (no CPE)range: <14.0.0.178
Adobe Inc./Flashplayer36 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.231
- cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:11.2.202.378:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:13.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
GNU/Flash Playerllm-fuzzy
Range: <13.0.0.241 on Windows/OS X, <14.0.0.176 on Windows/OS X for 14.x, <11.2.202.400 on Linux

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

helpx.adobe.com/security/products/flash-player/apsb14-18.htmlnvdPatchVendor Advisory
secunia.com/advisories/60710nvd
secunia.com/advisories/60732nvd
security.gentoo.org/glsa/glsa-201408-05.xmlnvd
www.securitytracker.com/id/1030712nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000