VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 10, 2014· Updated May 6, 2026

CVE-2014-0559

CVE-2014-0559

Description

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0556.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244/15.0.0.152 on Windows/OS X and 11.2.202.406 on Linux allows remote code execution via unspecified vectors.

Vulnerability

A heap-based buffer overflow vulnerability exists in Adobe Flash Player before 13.0.0.244 (Windows and OS X), 14.x and 15.x before 15.0.0.152 (Windows and OS X), and before 11.2.202.406 (Linux). It also affects Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, as well as AIR SDK and AIR SDK & Compiler before 15.0.0.249 [2]. The issue is triggered via unspecified vectors, likely through crafted SWF content [1]. This is a distinct vulnerability from CVE-2014-0556.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious Adobe Flash file (SWF) delivered via a compromised webpage or email. No authentication is required; the attacker only needs to deliver the crafted file to a target running a vulnerable version of Flash Player or AIR. The exploitation does not require user interaction beyond the initial load, as the overflow occurs during parsing of the file [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code within the context of the affected process. This can lead to complete compromise of the system including data theft, installation of malware, or further network propagation. The impact is high for confidentiality, integrity, and availability [1][2].

Mitigation

Adobe released fixed versions: Flash Player 13.0.0.244 and 15.0.0.152 (Windows/OS X), 11.2.202.406 (Linux), and AIR 15.0.0.249/15.0.0.252. Users should update immediately [2]. There is no known workaround besides upgrading [2]. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About Secunia Research | Flexera
  2. Multiple vulnerabilities (GLSA 201409-05) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

54
  • Adobe Inc./Air6 versions
    cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*range: <=14.0.0.178
    • cpe:2.3:a:adobe:adobe_air:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:13.0.0.83:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:14.0.0.110:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air:14.0.0.137:*:*:*:*:*:*:*
    • (no CPE)range: <15.0.0.249 (Windows/OS X) and <15.0.0.252 (Android)
  • Adobe Inc./Air Sdk6 versions
    cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:adobe:adobe_air_sdk:*:*:*:*:*:*:*:*range: <=14.0.0.178
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.137:*:*:*:*:*:*:*
    • (no CPE)range: <15.0.0.249
  • Adobe Inc./Flashplayer41 versions
    cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 40 more
    • cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=13.0.0.241
    • cpe:2.3:a:adobe:flash_player:11.2.202.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.228:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.233:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.235:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.236:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.238:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.243:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.251:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.258:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.261:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.262:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.270:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.273:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.275:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.280:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.285:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.291:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.297:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.310:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.332:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.335:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.336:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.341:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.346:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.350:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.356:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.359:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.378:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:11.2.202.394:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.182:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.201:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.206:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.214:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.223:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:13.0.0.231:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
    • cpe:2.3:a:adobe:flash_player:15.0.0.144:*:*:*:*:*:*:*
  • GNU/Flash Playerllm-fuzzy
    Range: <15.0.0.152 (Windows/OS X) and <11.2.202.406 (Linux)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.