CVE-2014-8439 : Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Wind

Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before 15.0.0.239 on Windows and OS X and before 11.2.202.424 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allow attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference) via unspecified vectors.

Published 2014-11-25 23:59:00

Updated 2025-04-12 10:46:41

Source Adobe Systems Incorporated

View at NVD, CVE.org

Vulnerability category: Execute codeDenial of service

Products affected by CVE-2014-8439

Adobe » Flash Player
Versions up to, including, (<=) 11.2.202.418
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
Adobe » Flash Player
Versions up to, including, (<=) 13.0.0.252
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Mac Os X » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
Adobe » Flash Player
Versions up to, including, (<=) 15.0.0.223
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
Adobe » AIR
Versions up to, including, (<=) 15.0.0.292
cpe:2.3:a:adobe:air:*:*:*:*:*:*:*:*
Matching versions
Adobe » Air Sdk & Compiler
Versions before (<) 15.0.0.302
cpe:2.3:a:adobe:air_sdk_\&_compiler:*:*:*:*:*:*:*:*
Matching versions
Adobe » Air Sdk
Versions up to, including, (<=) 15.0.0.301
cpe:2.3:a:adobe:air_sdk:*:*:*:*:*:*:*:*
Matching versions

CVE-2014-8439 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Adobe Flash Player Dereferenced Pointer Vulnerability

CISA required action:

The impacted product is end-of-life and should be disconnected if still in use.

CISA description:

Adobe Flash Player has a vulnerability in the way it handles a dereferenced memory pointer which could lead to code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2014-8439

Added on 2022-05-25 Action due date 2022-06-15

Exploit prediction scoring system (EPSS) score for CVE-2014-8439

EPSS FAQ

17.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-8439

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-10
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2014-8439

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Assigned by: nvd@nist.gov (Primary)
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2014-8439

http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00001.html

[security-announce] SUSE-SU-2014:1545-1: important: Security update for
Third Party Advisory
https://www.f-secure.com/weblog/archives/00002768.html

News from the Lab Archive : January 2004 to September 2015
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1915.html

RHSA-2014:1915 - Security Advisory - Red Hat Customer Portal
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/98932

Adobe Flash Player code execution CVE-2014-8439 Vulnerability Report
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/71289

Adobe Flash Player CVE-2014-8439 Remote Code Execution Vulnerability
Third Party Advisory;VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00004.html

[security-announce] openSUSE-SU-2014:1562-1: important: Security update
Third Party Advisory
http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

Adobe Security Bulletin
Vendor Advisory
http://secunia.com/advisories/60217

Sign in
Permissions Required
http://helpx.adobe.com/security/products/flash-player/apsb14-22.html

Adobe Security Bulletin
Vendor Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00020.html

[security-announce] openSUSE-SU-2014:1508-1: critical: Security update f
Third Party Advisory
http://www.securitytracker.com/id/1031259

Adobe Flash Player Use-After-Free Memory Error Lets Remote Users Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry