CVE-2014-0502
Published: 21 February 2014
Summary
CVE-2014-0502 is a high-severity Double Free (CWE-415) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
The vulnerability is a double free flaw (CWE-415) present in Adobe Flash Player versions before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X, before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, and the corresponding AIR SDK and Compiler packages before 4.0.0.1628. It carries a CVSS 3.1 score of 8.8.
Remote attackers can exploit the issue via unspecified vectors to achieve arbitrary code execution on affected systems. The vulnerability was exploited in the wild in February 2014 and requires user interaction such as visiting a malicious page or opening a crafted document.
Adobe's APSB14-07 bulletin and related distribution advisories (openSUSE, Red Hat) recommend immediate upgrade to the fixed versions listed above. No other mitigations such as configuration changes are specified in the references.
The flaw saw active exploitation shortly after disclosure, underscoring the need for rapid patching of Flash and AIR installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-0533
Vulnerability details
Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR…
more
SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.
- CWE(s)
- KEV Date Added
- 17 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that eliminate the double-free flaw in Flash Player and AIR before exploitation can occur.
Restricts execution of untrusted mobile code (Flash SWF content) that remote attackers use to trigger the vulnerability.
Enforces least functionality by disabling or removing the vulnerable Flash/AIR components that are not required for system operation.