Skip to main content

Absolute Secure Access CVE-2026-33446

| EUVDEUVD-2026-26413 LOW
Classic Buffer Overflow (CWE-120)
2026-04-30 Absolute
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
Patch available
Apr 30, 2026 - 21:02 EUVD
CVSS changed
Apr 30, 2026 - 20:22 NVD
2.3 (LOW)
EUVD ID Assigned
Apr 30, 2026 - 20:00 euvd
EUVD-2026-26413
Analysis Generated
Apr 30, 2026 - 20:00 vuln.today
CVE Published
Apr 30, 2026 - 19:36 nvd
LOW 2.3

DescriptionCVE.org

CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service.

AnalysisAI

Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability exists in the authentication subsystem of Secure Access, a client application by Absolute Software designed for endpoint security and management. The root cause is a classic buffer overflow (CWE-120) in memory handling within the authentication processing code. This occurs when the client processes server responses without proper bounds checking, allowing a network-based attacker who controls or intercepts communications with a modified authentication server to transmit a specially crafted packet that overwrites adjacent memory regions. The attack surface is limited by the requirement for user interaction and high attack complexity, suggesting the overflow may require specific packet sequencing, timing, or user action to trigger.

RemediationAI

Upgrade Absolute Secure Access to version 14.50 or later immediately, as vendor-released patched versions are available. The patch resolves the buffer overflow by implementing proper bounds checking in the authentication subsystem packet handling logic. For organizations unable to patch immediately, implement network segmentation to restrict outbound connections from Secure Access clients to trusted, verified authentication servers only, and disable or restrict client-to-server communication if operationally feasible. Monitor for unexpected memory corruption errors or client crashes as indicators of exploitation attempts. Verify patch deployment through endpoint management tools and confirm version numbers post-update, as the patch may be deployable via automated mechanisms through Absolute's management infrastructure.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

CVE-2026-33446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy