CVE-2014-0556 [Critical] | Memory Corruption in Flash Player

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and OS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK & Compiler before 15.0.0.249 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0559.

EDB-ID	Source	Kind	Published	Link
36808	exploit_db	edb	2015-04-21	Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

36808

exploit_db

edb

2015-04-21

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	87.32%	84.18%	-3.14%
2	2026-05-13	86.03%	87.32%	+1.29%
3	2026-02-23	—	86.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

87.32%

84.18%

-3.14%

2026-05-13

86.03%

87.32%

+1.29%

2026-02-23

—

86.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
10.0	2.0	HIGH	`AV:N/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	10.0	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

10.0

2.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

10.0

[email protected]

OS Trackers for CVE-2014-0556

vendor	priority	summary	link
`gentoo`	normal	CVE-2014-0556: 1 GLSA(s) (201409-05), 1 atom(s) (www-plugins/adobe-flash); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2014-0556
`redhat`	critical	—	https://access.redhat.com/security/cve/CVE-2014-0556
`ubuntu`	medium	CVE-2014-0556 medium priority: Ubuntu including 2 source packages (adobe-flashplugin, flashplugin-nonfree), 8 status rows across 4 suites (lucid, precise, trusty, upstream): released 6, ignored 2.	https://ubuntu.com/security/CVE-2014-0556

Affected software / configurations for CVE-2014-0556

Vendor	Product	Version	Raw CPE
adobe	flash_player	<= 13.0.0.241	cpe:2.3:a:adobe:flash_player::::::::
adobe	flash_player	13.0.0.182	cpe:2.3:a:adobe:flash_player:13.0.0.182:::::::*
adobe	flash_player	13.0.0.201	cpe:2.3:a:adobe:flash_player:13.0.0.201:::::::*
adobe	flash_player	13.0.0.206	cpe:2.3:a:adobe:flash_player:13.0.0.206:::::::*
adobe	flash_player	13.0.0.214	cpe:2.3:a:adobe:flash_player:13.0.0.214:::::::*
adobe	flash_player	13.0.0.223	cpe:2.3:a:adobe:flash_player:13.0.0.223:::::::*
adobe	flash_player	13.0.0.231	cpe:2.3:a:adobe:flash_player:13.0.0.231:::::::*
adobe	flash_player	14.0.0.125	cpe:2.3:a:adobe:flash_player:14.0.0.125:::::::*
adobe	flash_player	14.0.0.145	cpe:2.3:a:adobe:flash_player:14.0.0.145:::::::*
adobe	flash_player	14.0.0.176	cpe:2.3:a:adobe:flash_player:14.0.0.176:::::::*
adobe	flash_player	14.0.0.179	cpe:2.3:a:adobe:flash_player:14.0.0.179:::::::*
adobe	flash_player	15.0.0.144	cpe:2.3:a:adobe:flash_player:15.0.0.144:::::::*
adobe	adobe_air_sdk	<= 14.0.0.178	cpe:2.3:a:adobe:adobe_air_sdk::::::::
adobe	adobe_air_sdk	13.0.0.83	cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.83:::::::*
adobe	adobe_air_sdk	13.0.0.111	cpe:2.3:a:adobe:adobe_air_sdk:13.0.0.111:::::::*
adobe	adobe_air_sdk	14.0.0.110	cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.110:::::::*
adobe	adobe_air_sdk	14.0.0.137	cpe:2.3:a:adobe:adobe_air_sdk:14.0.0.137:::::::*
adobe	flash_player	<= 11.2.202.400	cpe:2.3:a:adobe:flash_player::::::::
adobe	flash_player	11.2.202.223	cpe:2.3:a:adobe:flash_player:11.2.202.223:::::::*
adobe	flash_player	11.2.202.228	cpe:2.3:a:adobe:flash_player:11.2.202.228:::::::*
adobe	flash_player	11.2.202.233	cpe:2.3:a:adobe:flash_player:11.2.202.233:::::::*
adobe	flash_player	11.2.202.235	cpe:2.3:a:adobe:flash_player:11.2.202.235:::::::*
adobe	flash_player	11.2.202.236	cpe:2.3:a:adobe:flash_player:11.2.202.236:::::::*
adobe	flash_player	11.2.202.238	cpe:2.3:a:adobe:flash_player:11.2.202.238:::::::*
adobe	flash_player	11.2.202.243	cpe:2.3:a:adobe:flash_player:11.2.202.243:::::::*
adobe	flash_player	11.2.202.251	cpe:2.3:a:adobe:flash_player:11.2.202.251:::::::*
adobe	flash_player	11.2.202.258	cpe:2.3:a:adobe:flash_player:11.2.202.258:::::::*
adobe	flash_player	11.2.202.261	cpe:2.3:a:adobe:flash_player:11.2.202.261:::::::*
adobe	flash_player	11.2.202.262	cpe:2.3:a:adobe:flash_player:11.2.202.262:::::::*
adobe	flash_player	11.2.202.270	cpe:2.3:a:adobe:flash_player:11.2.202.270:::::::*
adobe	flash_player	11.2.202.273	cpe:2.3:a:adobe:flash_player:11.2.202.273:::::::*
adobe	flash_player	11.2.202.275	cpe:2.3:a:adobe:flash_player:11.2.202.275:::::::*
adobe	flash_player	11.2.202.280	cpe:2.3:a:adobe:flash_player:11.2.202.280:::::::*
adobe	flash_player	11.2.202.285	cpe:2.3:a:adobe:flash_player:11.2.202.285:::::::*
adobe	flash_player	11.2.202.291	cpe:2.3:a:adobe:flash_player:11.2.202.291:::::::*
adobe	flash_player	11.2.202.297	cpe:2.3:a:adobe:flash_player:11.2.202.297:::::::*
adobe	flash_player	11.2.202.310	cpe:2.3:a:adobe:flash_player:11.2.202.310:::::::*
adobe	flash_player	11.2.202.332	cpe:2.3:a:adobe:flash_player:11.2.202.332:::::::*
adobe	flash_player	11.2.202.335	cpe:2.3:a:adobe:flash_player:11.2.202.335:::::::*
adobe	flash_player	11.2.202.336	cpe:2.3:a:adobe:flash_player:11.2.202.336:::::::*
adobe	flash_player	11.2.202.341	cpe:2.3:a:adobe:flash_player:11.2.202.341:::::::*
adobe	flash_player	11.2.202.346	cpe:2.3:a:adobe:flash_player:11.2.202.346:::::::*
adobe	flash_player	11.2.202.350	cpe:2.3:a:adobe:flash_player:11.2.202.350:::::::*
adobe	flash_player	11.2.202.356	cpe:2.3:a:adobe:flash_player:11.2.202.356:::::::*
adobe	flash_player	11.2.202.359	cpe:2.3:a:adobe:flash_player:11.2.202.359:::::::*
adobe	flash_player	11.2.202.378	cpe:2.3:a:adobe:flash_player:11.2.202.378:::::::*
adobe	flash_player	11.2.202.394	cpe:2.3:a:adobe:flash_player:11.2.202.394:::::::*
adobe	adobe_air	<= 14.0.0.179	cpe:2.3:a:adobe:adobe_air::::::::
adobe	adobe_air	13.0.0.83	cpe:2.3:a:adobe:adobe_air:13.0.0.83:::::::*
adobe	adobe_air	13.0.0.111	cpe:2.3:a:adobe:adobe_air:13.0.0.111:::::::*
adobe	adobe_air	14.0.0.110	cpe:2.3:a:adobe:adobe_air:14.0.0.110:::::::*
adobe	adobe_air	14.0.0.137	cpe:2.3:a:adobe:adobe_air:14.0.0.137:::::::*
adobe	adobe_air	<= 14.0.0.178	cpe:2.3:a:adobe:adobe_air::::::::

References for CVE-2014-0556

URL	Tags
http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html	Patch Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00021.html
http://packetstormsecurity.com/files/131516/Adobe-Flash-Player-copyPixelsToByteArray-Integer-Overflow.html
http://secunia.com/advisories/61089
http://security.gentoo.org/glsa/glsa-201409-05.xml
http://www.osvdb.org/111110
http://www.securityfocus.com/bid/69696
http://www.securitytracker.com/id/1030822
https://code.google.com/p/google-security-research/issues/detail?id=46
https://exchange.xforce.ibmcloud.com/vulnerabilities/95826
https://www.exploit-db.com/exploits/36808/

URL

CVE-2014-0556

Public exploit references (Exploit-DB) for CVE-2014-0556

Exploit prediction scoring system (EPSS) score for CVE-2014-0556

Common vulnerability scoring system (CVSS) metrics for CVE-2014-0556

Weakness enumeration for CVE-2014-0556

OS Trackers for CVE-2014-0556

Affected software / configurations for CVE-2014-0556

References for CVE-2014-0556