Cyber Resilience

CVE-2014-9163

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 December 2014

Published
10 December 2014
Modified
21 April 2026
KEV Added
13 April 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0319 87.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-9163 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Adobe Flash Player. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 12.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2014-9163 is a stack-based buffer overflow vulnerability, tracked under CWE-121, that affects Adobe Flash Player versions prior to 13.0.0.259, 14.x and 15.x prior to 15.0.0.246 on Windows and OS X, and prior to 11.2.202.425 on Linux. The flaw resides in the Flash Player component and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low attack complexity, required user interaction, and high impact on confidentiality, integrity, and availability.

An attacker can exploit the issue by supplying specially crafted content that triggers the overflow, resulting in arbitrary code execution on the affected system. The vulnerability was observed being exploited in the wild in December 2014, with the attack path relying on local access and user interaction such as opening a malicious file or visiting a compromised page that invokes Flash.

Adobe addressed the flaw in security bulletin APSB14-27, which details the updated Flash Player releases that remediate the buffer overflow. The vulnerability is also catalogued in CISA's Known Exploited Vulnerabilities list, confirming active exploitation and underscoring the need for immediate application of the vendor patches on all supported platforms.

EU & UK References

Vulnerability details

Stack-based buffer overflow in Adobe Flash Player before 13.0.0.259 and 14.x and 15.x before 15.0.0.246 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in…

more

December 2014.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
flash player
13.0 — 13.0.0.259 · 14.0 — 14.0.0.179 · 15.0 — 15.0.0.246

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the stack buffer overflow in Adobe Flash Player.

prevent

Enforces disabling or removing Flash Player when not explicitly required, eliminating the attack surface for crafted malicious content.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes the use of mobile code such as Flash, blocking execution of the exploit-bearing SWF content.

References