Cyber Resilience

CVE-2014-0496

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 January 2014

Published
15 January 2014
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7113 98.7th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0496 is a high-severity Use After Free (CWE-416) vulnerability in Adobe Acrobat. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2014-0496 is a use-after-free vulnerability, tracked under CWE-416, that affects Adobe Reader and Acrobat versions 10.x prior to 10.1.9 and 11.x prior to 11.0.06 on Windows and Mac OS X. The flaw resides in the handling of unspecified vectors within these PDF-processing applications and carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low attack complexity, no required privileges, and required user interaction.

An attacker can exploit the issue by supplying a maliciously crafted document that triggers the use-after-free condition, resulting in arbitrary code execution with the privileges of the current user. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected system.

Adobe's security bulletin APSB14-01, referenced in the provided advisories, addresses the vulnerability by releasing updated versions 10.1.9 and 11.0.06; organizations are advised to apply these patches promptly to eliminate the affected code paths.

EU & UK References

Vulnerability details

Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allows attackers to execute arbitrary code via unspecified vectors.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
acrobat
10.0 — 10.1.9 · 11.0 — 11.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches to eliminate the vulnerable code paths in Adobe Reader/Acrobat.

preventdetect

Malicious-code protection mechanisms can inspect incoming PDFs and block or alert on exploit-bearing documents before the use-after-free is triggered.

prevent

Least-functionality principle can be applied by disabling or removing Acrobat/Reader on systems that do not require PDF processing, eliminating the attack surface.

References