Description
CVE-2026-40951 is a memory corruption vulnerability on Secure Access
Windows clients prior to 14.50. Attackers with local control of the
Windows client can send malformed data to an API and trigger a denial of
service.
Published: 2026-04-30
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Memory corruption in the Secure Access Windows client allows an attacker who already has local control of the client to send malformed data to a vulnerable API, causing the application to crash. The result is a loss of availability for that client instance, interrupting users’ ability to connect to remote resources and potentially impacting business operations that rely on the client.

Affected Systems

Absolute Software Secure Access Windows clients prior to version 14.50 are affected. The vulnerability is tied to any installation of the product that predates the 14.50 release, regardless of the host operating system version.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. The EPSS score of 0.00017 (< 1%) indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires local access—an attacker must already have privileges on the Windows machine to exploit the flaw. Because the flaw does not involve a network-facing interface, the likelihood of remote exploitation is low, but any local compromise can lead to immediate denial of service for that client.

Generated by OpenCVE AI on May 2, 2026 at 08:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secure Access client to version 14.50 or later to eliminate the memory corruption flaw.
  • If an update is not immediately possible, isolate the affected client by restricting local administrator and user access to prevent compromise of the vulnerable application.
  • As a temporary measure, monitor the client for crash events and enforce application whitelisting or integrity checks to detect and block anomalous inputs to the vulnerable API.

Generated by OpenCVE AI on May 2, 2026 at 08:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Absolute
Absolute secure Access
Vendors & Products Absolute
Absolute secure Access

Fri, 01 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 30 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description CVE-2026-40951 is a memory corruption vulnerability on Secure Access Windows clients prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and trigger a denial of service.
Title Memory corruption in Secure Access Windows clients prior to 14.50
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Absolute Secure Access
cve-icon MITRE

Status: PUBLISHED

Assigner: Absolute

Published:

Updated: 2026-05-01T14:29:48.263Z

Reserved: 2026-04-16T00:19:03.573Z

Link: CVE-2026-40951

cve-icon Vulnrichment

Updated: 2026-05-01T14:29:44.417Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T21:16:33.127

Modified: 2026-05-01T15:28:29.083

Link: CVE-2026-40951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:15:16Z

Weaknesses