Skip to main content

Absolute Secure Access CVE-2026-33447

| EUVDEUVD-2026-26415 LOW
Stack-based Buffer Overflow (CWE-121)
2026-04-30 Absolute
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 22:15 vuln.today
Patch available
Apr 30, 2026 - 21:02 EUVD
CVSS changed
Apr 30, 2026 - 20:22 NVD
2.3 (LOW)
EUVD ID Assigned
Apr 30, 2026 - 20:00 euvd
EUVD-2026-26415
Analysis Generated
Apr 30, 2026 - 20:00 vuln.today
CVE Published
Apr 30, 2026 - 19:43 nvd
LOW 2.3

DescriptionCVE.org

CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial of service.

AnalysisAI

Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.

Technical ContextAI

The vulnerability resides in a message parsing function within the Secure Access client application, a privilege management and secure access solution by Absolute Software. The buffer overflow occurs during packet processing when the client communicates with a server. The condition involves a bounded but insufficient buffer allocation, allowing a remote entity controlling or impersonating a server to craft packets exceeding expected bounds. The overflow is classified as a buffer overflow (CWE category implied by description), which typically results from improper bounds checking in C/C++ parsing routines. The impact is constrained to integrity and availability-not confidentiality-suggesting the overflow affects internal state or stack canaries rather than sensitive data exposure.

RemediationAI

Upgrade Absolute Secure Access to version 14.50 or later, which is available from the vendor. Organizations should deploy this patch immediately across all client instances communicating with Secure Access servers. If immediate patching is not feasible, implement network-level controls to restrict client-server communications to trusted, verified endpoints and monitor for unexpected server certificate changes or unusual packet patterns. Monitor server infrastructure for compromise indicators, as the attack surface is limited to scenarios where an attacker controls or intercepts the server-client channel. Patch deployment has no documented negative side effects given the security focus of the fix.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

CVE-2026-33447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy