VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 15, 2020· Updated Sep 27, 2024

CVE-2020-14664

CVE-2020-14664

Description

Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-14664 is an out-of-bounds write in JavaFX HTML rendering in Oracle Java SE 8u251, allowing remote code execution with user interaction.

Vulnerability

This vulnerability exists in the JavaFX component of Oracle Java SE 8u251. The flaw is an out-of-bounds write during HTML rendering due to improper validation of user-supplied data, as described in the ZDI advisory [1]. It affects Java clients running sandboxed Java Web Start applications or applets that load untrusted code.

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by crafting malicious HTML content. Successful exploitation requires user interaction, such as convincing a user to open a specially crafted webpage or document that triggers the vulnerable HTML rendering path in JavaFX [1]. The attack complexity is high due to the need for precise conditions.

Impact

If exploited, the attacker can execute arbitrary code in the context of the target process, leading to a full compromise of confidentiality, integrity, and availability. The CVSS base score is 8.3, with a scope change affecting additional products [description].

Mitigation

Oracle addressed this vulnerability in the July 2020 Critical Patch Update (likely in Java SE 8u261) [description]. Gentoo advises removing Oracle JDK/JRE and replacing with OpenJDK (dev-java/openjdk, dev-java/openjdk-bin, or dev-java/openjdk-jre-bin) as no workaround exists [2]. The vulnerability is not listed in the CISA KEV as of this writing.

References
  1. ZDI-20-897
  2. Multiple vulnerabilities (GLSA 202209-15) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

36

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.