Skip to main content

Absolute Secure Access EUVDEUVD-2026-44787

| CVE-2026-40954 LOW
Integer Underflow (CWE-191)
2026-07-15 Absolute
2.1
CVSS 4.0 · Vendor: Absolute

Severity by source

Vendor (Absolute) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

AV:N/AC:H reflects network attack with high complexity; UI:R because user must connect to attacker-controlled channel; impact is low availability loss only with no scope change.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 20:31 vuln.today

DescriptionCVE.org

CVE-2026-40954 is an integer underflow vulnerability in the traffic parsing function of Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client

AnalysisAI

Integer underflow in Absolute Security's Secure Access client prior to version 14.55 allows an attacker with full control over the tunnel protocol to cause a non-persistent denial of service against the client. The exploitation bar is extremely high - the attacker must possess both intimate knowledge of the proprietary tunnel protocol and total control over the communication channel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of tunnel server or MitM position
Delivery
Acquire intimate knowledge of tunnel protocol
Exploit
Craft integer-underflow-triggering traffic
Execution
Wait for client to connect (user interaction)
Persist
Deliver malformed tunnel data
Impact
Trigger client crash (non-persistent DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following simultaneously: (1) the attacker must have total control over the tunnel protocol channel - either by operating a server the client connects to, or by holding a man-in-the-middle position; (2) the attacker must have intimate knowledge of the Absolute Secure Access proprietary tunnel protocol internals to construct a triggering payload; (3) active user interaction is required (UI:A in CVSS 4.0), meaning the user must initiate or maintain a connection; and (4) a specific attack precondition (AT:P) must be met. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is minimal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a malicious Secure Access server, or holding a man-in-the-middle position on the network path, crafts tunnel protocol traffic specifically engineered to trigger the integer underflow in the client's parsing function. The client crashes or becomes unresponsive for the duration of the attack, losing its tunnel connection. …
Remediation Patch available per vendor advisory: upgrade Absolute Secure Access clients to version 14.55 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

EUVD-2026-44787 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy