Cyber Resilience

CVE-2014-8439

HighCISA KEVActive ExploitationEUVD Exploited

Published: 25 November 2014

Published
25 November 2014
Modified
21 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3444 97.1th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-8439 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Adobe Flash Player. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe Flash Player versions prior to 13.0.0.258 and 14.x/15.x prior to 15.0.0.239 on Windows and OS X, prior to 11.2.202.424 on Linux, along with Adobe AIR before 15.0.0.293 and the associated AIR SDK and Compiler before 15.0.0.302, contain an unspecified invalid pointer dereference flaw tracked as CVE-2014-8439. The issue is classified under CWE-119 and CWE-416 and carries a CVSS 3.1 score of 8.8, reflecting network-accessible impact without authentication requirements beyond user interaction.

An attacker can supply malicious content that triggers the flaw, resulting in arbitrary code execution or a denial-of-service condition on the affected system. Exploitation occurs through the normal attack surface of Flash content rendered in browsers or AIR applications, allowing remote adversaries to achieve full control or crash the process.

Adobe security bulletins APSB14-22 and APSB14-26, along with corresponding OpenSUSE advisories, direct users to apply the listed patched releases for Flash Player, AIR, and the SDK components as the primary mitigation. No further workarounds or configuration changes are specified in the references.

EU & UK References

Vulnerability details

Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers…

more

to execute arbitrary code or cause a denial of service (invalid pointer dereference) via unspecified vectors.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
≤ 11.2.202.418 · ≤ 15.0.0.223 · ≤ 13.0.0.252
adobe
air
≤ 15.0.0.292
adobe
air sdk
≤ 15.0.0.301
adobe
air sdk \& compiler
≤ 15.0.0.302

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the invalid-pointer flaw in Flash/AIR.

prevent

Requires control over mobile code (Flash) to block execution of untrusted or vulnerable content that triggers the CVE.

prevent

Enforces least functionality by disabling or removing the vulnerable Flash Player/AIR components entirely.

References