Skip to main content

Absolute Secure Access CVE-2026-40951

| EUVDEUVD-2026-26431 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-30 Absolute
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
May 04, 2026 - 18:54 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 23:30 vuln.today
Patch available
Apr 30, 2026 - 22:02 EUVD
CVSS changed
Apr 30, 2026 - 21:22 NVD
6.8 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 20:45 euvd
EUVD-2026-26431
Analysis Generated
Apr 30, 2026 - 20:45 vuln.today
CVE Published
Apr 30, 2026 - 20:22 nvd
MEDIUM 6.8

DescriptionCVE.org

CVE-2026-40951 is a memory corruption vulnerability on Secure Access Windows clients prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and trigger a denial of service.

AnalysisAI

Memory corruption in Absolute Secure Access Windows clients prior to version 14.50 allows local authenticated attackers to trigger denial of service by sending malformed data to an exposed API. The vulnerability requires local system access and authenticated privileges but can completely disable the security client, creating a critical availability risk for endpoint protection.

Technical ContextAI

This memory corruption vulnerability affects the Absolute Secure Access Windows client API interface. The CVE involves improper handling of malformed input data sent to a local API endpoint, causing memory safety violations classified as buffer overflow (per tags). The vulnerability is specific to the Secure Access application running on Windows endpoints and manifests through local inter-process communication or API exposure. The flaw allows memory corruption that results in availability impact (VA:H in CVSS 4.0 vector), indicating the attacker can crash or disable the service rather than execute arbitrary code.

RemediationAI

Upgrade Absolute Secure Access to version 14.50 or later on all affected Windows clients. This is the vendor-released patch that resolves the memory corruption flaw. Organizations unable to patch immediately should restrict local access to Windows systems running vulnerable Secure Access versions, disable unnecessary local API endpoints if configuration options exist, and monitor for suspicious local API calls or client process crashes that may indicate exploitation attempts. Verify patch deployment across the organization, as the vulnerability requires local authenticated access and therefore poses greatest risk in environments with high user turnover or weak endpoint access controls.

Share

CVE-2026-40951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy