Skip to main content

Absolute Secure Access CVE-2026-40949

| EUVDEUVD-2026-26429 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-04-30 Absolute
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 22:45 vuln.today
Patch available
Apr 30, 2026 - 22:02 EUVD
CVSS changed
Apr 30, 2026 - 21:22 NVD
6.8 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 20:30 euvd
EUVD-2026-26429
Analysis Generated
Apr 30, 2026 - 20:30 vuln.today
CVE Published
Apr 30, 2026 - 20:16 nvd
MEDIUM 6.8

DescriptionCVE.org

CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to trigger a denial of service.

AnalysisAI

Buffer overflow in Absolute Secure Access Windows client versions prior to 14.50 allows local attackers with high privileges to trigger denial of service by exploiting improper memory handling. The vulnerability requires local access and elevated administrative privileges, limiting exploitation to authenticated users already possessing administrative control of the affected system. Vendor-released patch: version 14.50 or later.

Technical ContextAI

Secure Access is endpoint protection and device management software from Absolute Software. The vulnerability exists in the Windows client application as a classic buffer overflow condition in memory management, classified under improper input validation and buffer handling. The CPE identifier (cpe:2.3:a:absolute_software:secure_access:*:*:*:*:*:*:*:*) indicates the vulnerability affects all versions of Secure Access prior to 14.50. Buffer overflow vulnerabilities in local access contexts typically arise from inadequate bounds checking on stack or heap buffers when processing user input or configuration data, though the specific vulnerable code path is not detailed in available disclosures.

RemediationAI

Upgrade Absolute Secure Access to version 14.50 or later to remediate the buffer overflow condition. Administrators should prioritize deployment of this patch to all Windows client installations, particularly systems where local administrative access is shared among multiple users or where privileged accounts may be compromised. If immediate patching is not feasible due to operational constraints, restrict administrative credential distribution to essential personnel only, monitor Windows event logs for suspicious buffer overflow attempts (Access Violation exceptions in Secure Access process), and consider disabling non-essential features of Secure Access if such granular configuration is supported by the vendor. The denial of service impact means unavailability of Secure Access during exploitation, affecting threat detection and device management capabilities, so patching timeline should account for this availability risk.

Share

CVE-2026-40949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy