Description
CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access
Windows client prior to 14.50. Attackers with local control of the
Windows client can use it to trigger a denial of service.
Published: 2026-04-30
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE‑2026‑40949 is a buffer overflow vulnerability (CWE‑121) affecting the Absolute Software Secure Access Windows client before version 14.50. The flaw allows a local attacker with control of the client to overflow an internal buffer and cause the application to terminate, resulting in a denial of service for all users of that client instance.

Affected Systems

The vulnerability impacts the Windows installation of Absolute Software Secure Access releases earlier than 14.50. No later versions have been reported to be affected, and no specific sub‑versions are listed by the vendor.

Risk and Exploitability

With a CVSS score of 6.8 the issue is considered moderate severity. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. The attack requires local presence on the Windows machine, meaning an attacker must have access to the client executable or the ability to run code on the host. Exploitation would result in a service crash, potentially disrupting secure remote access to protected resources. Because the impact is limited to local denial of service and there is no remote execution vector, the overall risk is moderate but still warrants prompt remediation.

Generated by OpenCVE AI on May 2, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Absolute Software Secure Access Windows client to version 14.50 or later to eliminate the buffer overflow.
  • Apply any vendor‑supplied patches that address CVE‑2026‑40949 as they become available.
  • If the client is not required on a system, consider uninstalling or disabling it to remove the local attack surface.

Generated by OpenCVE AI on May 2, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Absolute
Absolute secure Access
Vendors & Products Absolute
Absolute secure Access

Fri, 01 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to trigger a denial of service.
Title Buffer overflow in Windows clients prior to 14.50
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Absolute Secure Access
cve-icon MITRE

Status: PUBLISHED

Assigner: Absolute

Published:

Updated: 2026-05-01T14:32:04.114Z

Reserved: 2026-04-16T00:19:03.573Z

Link: CVE-2026-40949

cve-icon Vulnrichment

Updated: 2026-05-01T14:31:59.835Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T21:16:32.883

Modified: 2026-05-01T15:28:29.083

Link: CVE-2026-40949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses