Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to trigger a denial of service.
AnalysisAI
Buffer overflow in Absolute Secure Access Windows client versions prior to 14.50 allows local attackers with high privileges to trigger denial of service by exploiting improper memory handling. The vulnerability requires local access and elevated administrative privileges, limiting exploitation to authenticated users already possessing administrative control of the affected system. Vendor-released patch: version 14.50 or later.
Technical ContextAI
Secure Access is endpoint protection and device management software from Absolute Software. The vulnerability exists in the Windows client application as a classic buffer overflow condition in memory management, classified under improper input validation and buffer handling. The CPE identifier (cpe:2.3:a:absolute_software:secure_access:*:*:*:*:*:*:*:*) indicates the vulnerability affects all versions of Secure Access prior to 14.50. Buffer overflow vulnerabilities in local access contexts typically arise from inadequate bounds checking on stack or heap buffers when processing user input or configuration data, though the specific vulnerable code path is not detailed in available disclosures.
RemediationAI
Upgrade Absolute Secure Access to version 14.50 or later to remediate the buffer overflow condition. Administrators should prioritize deployment of this patch to all Windows client installations, particularly systems where local administrative access is shared among multiple users or where privileged accounts may be compromised. If immediate patching is not feasible due to operational constraints, restrict administrative credential distribution to essential personnel only, monitor Windows event logs for suspicious buffer overflow attempts (Access Violation exceptions in Secure Access process), and consider disabling non-essential features of Secure Access if such granular configuration is supported by the vendor. The denial of service impact means unavailability of Secure Access during exploitation, affecting threat detection and device management capabilities, so patching timeline should account for this availability risk.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26429