Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service.
AnalysisAI
Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The vulnerability exists in the authentication subsystem of Secure Access, a client application by Absolute Software designed for endpoint security and management. The root cause is a classic buffer overflow (CWE-120) in memory handling within the authentication processing code. This occurs when the client processes server responses without proper bounds checking, allowing a network-based attacker who controls or intercepts communications with a modified authentication server to transmit a specially crafted packet that overwrites adjacent memory regions. The attack surface is limited by the requirement for user interaction and high attack complexity, suggesting the overflow may require specific packet sequencing, timing, or user action to trigger.
RemediationAI
Upgrade Absolute Secure Access to version 14.50 or later immediately, as vendor-released patched versions are available. The patch resolves the buffer overflow by implementing proper bounds checking in the authentication subsystem packet handling logic. For organizations unable to patch immediately, implement network segmentation to restrict outbound connections from Secure Access clients to trusted, verified authentication servers only, and disable or restrict client-to-server communication if operationally feasible. Monitor for unexpected memory corruption errors or client crashes as indicators of exploitation attempts. Verify patch deployment through endpoint management tools and confirm version numbers post-update, as the patch may be deployable via automated mechanisms through Absolute's management infrastructure.
More in Secure Access
View allPersistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26413