Cyber Resilience

CVE-2014-0502

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 February 2014

Published
21 February 2014
Modified
21 April 2026
KEV Added
17 September 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8983 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0502 is a high-severity Double Free (CWE-415) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

The vulnerability is a double free flaw (CWE-415) present in Adobe Flash Player versions before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X, before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, and the corresponding AIR SDK and Compiler packages before 4.0.0.1628. It carries a CVSS 3.1 score of 8.8.

Remote attackers can exploit the issue via unspecified vectors to achieve arbitrary code execution on affected systems. The vulnerability was exploited in the wild in February 2014 and requires user interaction such as visiting a malicious page or opening a crafted document.

Adobe's APSB14-07 bulletin and related distribution advisories (openSUSE, Red Hat) recommend immediate upgrade to the fixed versions listed above. No other mitigations such as configuration changes are specified in the references.

The flaw saw active exploitation shortly after disclosure, underscoring the need for rapid patching of Flash and AIR installations.

EU & UK References

Vulnerability details

Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR…

more

SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.

CWE(s)
KEV Date Added
17 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.7.700.269 · 11.8.800.94 — 12.0.0.70 · ≤ 11.2.202.341
adobe
adobe air sdk
≤ 4.0.0.1628
adobe
adobe air
≤ 4.0.0.1628
opensuse
opensuse
11.4, 12.3, 13.1
suse
linux enterprise desktop
11
redhat
enterprise linux desktop
5.0, 6.0
redhat
enterprise linux eus
6.5
redhat
enterprise linux server
5.0, 6.0
redhat
enterprise linux server aus
6.5
redhat
enterprise linux workstation
5.0, 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that eliminate the double-free flaw in Flash Player and AIR before exploitation can occur.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code (Flash SWF content) that remote attackers use to trigger the vulnerability.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash/AIR components that are not required for system operation.

References