Skip to main content

Absolute Secure Access CVE-2026-40955

| EUVDEUVD-2026-44788 LOW
Integer Underflow (CWE-191)
2026-07-15 Absolute
2.1
CVSS 4.0 · Vendor: Absolute

Severity by source

Vendor (Absolute) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-delivered but requires attacker tunnel control (AC:H); active client session needed (UI:R); impact limited to transient client availability disruption (A:L), no C/I impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 20:31 vuln.today

DescriptionCVE.org

CVE-2026-40955 is an integer underflow vulnerability in the traffic parsing function of Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client.

AnalysisAI

Integer underflow in the traffic parsing function of Absolute Security Secure Access clients prior to version 14.55 enables a non-persistent denial-of-service condition against the client application. Exploitation demands the attacker possess intimate knowledge of the proprietary tunnel protocol AND maintain total control over that tunnel - an exceptionally high bar that drastically limits realistic attacker population. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or compromise tunnel gateway
Delivery
Acquire tunnel protocol internals knowledge
Exploit
Wait for victim client to connect
Execution
Craft malformed protocol message with integer underflow trigger
Persist
Deliver crafted traffic to parsing function
Impact
Induce non-persistent client crash

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the attacker must possess intimate knowledge of the Absolute Secure Access tunnel protocol internals - not publicly documented - and (2) the attacker must have total control over the tunnel channel through which the victim client communicates, such as by operating a malicious or compromised tunnel endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk of this vulnerability is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or controls a VPN/tunnel gateway that Absolute Secure Access clients connect to crafts malformed tunnel protocol messages exploiting intimate knowledge of the protocol structure to induce an integer underflow in the client's traffic parser. The targeted client application crashes or becomes temporarily unresponsive, disrupting the user's secure access session until the client recovers or is restarted. …
Remediation Upgrade Absolute Secure Access clients to version 14.55 or later, which is the vendor-confirmed fix version per the Absolute Security vulnerability advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40955. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

CVE-2026-40955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy