Published: 21/02/2014 Updated: 13/12/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Double free vulnerability in Adobe Flash Player prior to 11.7.700.269 and 11.8.x up to and including 12.0.x prior to on Windows and Mac OS X and prior to on Linux, Adobe AIR prior to on Android, Adobe AIR SDK prior to, and Adobe AIR SDK & Compiler prior to allows remote malicious users to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.

Vulnerability Trend

Affected Products

Vendor Product Versions
AdobeAdobe Air-, 1.0, 1.0.1,, 1.0.4990, 1.1,, 1.5,, 1.5.1,, 1.5.2, 1.5.3,,, 2.0.2,, 2.0.3,, 2.0.4,,, 2.6,,, 2.7,,,,, 2.7.1,,,,,,,,,,,,,,,,,,,,,,,,,,,
AdobeAdobe Air Sdk3.0.0.4080,,,,,,,,,,,,,,,,,,,,,,
AdobeFlash Player11.0,,, 11.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 11.3.300.257, 11.3.300.262, 11.3.300.265, 11.3.300.268, 11.3.300.270, 11.3.300.271, 11.3.300.273, 11.4.402.265, 11.4.402.278, 11.4.402.287, 11.5.502.110, 11.5.502.135, 11.5.502.136, 11.5.502.146, 11.5.502.149, 11.6.602.167, 11.6.602.168, 11.6.602.171, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.203, 11.7.700.224, 11.7.700.225, 11.7.700.232, 11.7.700.242, 11.7.700.252, 11.7.700.257, 11.7.700.260, 11.7.700.261, 11.8.800.94, 11.8.800.97, 11.8.800.168, 11.8.800.174, 11.9.900.117, 11.9.900.152, 11.9.900.170, 11.9.900.700,,,,

Vendor Advisories

Double free vulnerability in Adobe Flash Player before 117700269 and 118x through 120x before 120070 on Windows and Mac OS X and before 112202341 on Linux, Adobe AIR before 4001628 on Android, Adobe AIR SDK before 4001628, and Adobe AIR SDK & Compiler before 4001628 allows remote attackers to execute arbitrary code via uns ...

Github Repositories

Resources About Shellcode

Recent Articles

Two recently patched Adobe Flash vulnerabilities now used in Exploit Kits
welivesecurity • Sébastien Duquette • 31 Oct 2014

Two Flash vulnerabilities that were fixed by Adobe 2 weeks ago are now being used in exploit kits. This is in addition to a third vulnerability, CVE-2014-0556, that was patched in September and that has also been added to Nuclear EK last week.
Before we get into the nitty-gritty detail, we strongly encourage you to take a moment to check that your Flash player is up to date, we have created a step-by-step guide explaining how to do so which you can read here.
The first exploit, CVE-...

New Flash vuln exploited (again). Adobe posts emergency fix (again)
The Register • Shaun Nichols in San Francisco • 20 Feb 2014

Miscreants attack fresh hole ... Windows, Mac, Linux peeps at risk

Adobe has released an update to address critical flaws in its Flash Player software, one of which is being actively targeted in the wild.
The company said that the Windows and Mac OS X builds of Flash Player and earlier, and Flash Player and earlier for Linux, must be upgraded to fix a trio of bugs.
Adobe said today's update will "resolve a stack overflow vulnerability that could result in arbitrary code execution (CVE-2014-0498)", fix "a memory leak vulnerabil...

Emergency Adobe Flash Update Handles Zero Day Under Attack
Threatpost • Michael Mimoso • 20 Feb 2014

Adobe rushed out an unscheduled Flash Player update today to counter exploits of a zero-day vulnerability in the software.
A number of national security, foreign policy and public policy websites are hosting exploits that redirect to espionage malware, including the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation.
Those three nonprofit sites, researchers at FireEye said, are redirecting visitors to an ...