CVE-2014-0496
Published: 15 January 2014
Summary
CVE-2014-0496 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2014-0496 is a use-after-free vulnerability, tracked under CWE-416, that affects Adobe Reader and Acrobat versions 10.x prior to 10.1.9 and 11.x prior to 11.0.06 on Windows and Mac OS X. The flaw resides in the handling of unspecified vectors within these PDF-processing applications and carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low attack complexity, no required privileges, and required user interaction.
An attacker can exploit the issue by supplying a maliciously crafted document that triggers the use-after-free condition, resulting in arbitrary code execution with the privileges of the current user. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected system.
Adobe's security bulletin APSB14-01, referenced in the provided advisories, addresses the vulnerability by releasing updated versions 10.1.9 and 11.0.06; organizations are advised to apply these patches promptly to eliminate the affected code paths.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-0527
Vulnerability details
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches to eliminate the vulnerable code paths in Adobe Reader/Acrobat.
Malicious-code protection mechanisms can inspect incoming PDFs and block or alert on exploit-bearing documents before the use-after-free is triggered.
Least-functionality principle can be applied by disabling or removing Acrobat/Reader on systems that do not require PDF processing, eliminating the attack surface.