Post

CVE-2026-15506 - SecureAge CatchPulse Driver Vulnerability

CVE-2026-15506 - SecureAge CatchPulse Driver Vulnerability

CVE-2026-15506 - SecureAge CatchPulse Driver Vulnerability

A security vulnerability, identified as CVE-2026-15506, has been detected in SecureAge CatchPulse up to version 10.9.3. The affected element is an unknown function in the library saappctl.sys of the component Driver. Such manipulation leads to a heap-based buffer overflow. An attack must be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. This vulnerability was published on July 12, 2026.

Severity Assessment

The Common Vulnerability Scoring System (CVSS) assesses the severity of this vulnerability:

  • CVSS 2.0: Score is 6.8 (MEDIUM severity) with an Exploitability Score of 3.1 and an Impact Score of 10.0.
  • CVSS 3.1: Score is 7.8 (HIGH severity) with an Exploitability Score of 1.8 and an Impact Score of 5.9.
  • CVSS 4.0: Score is 7.1 (HIGH severity).

Affected Vendor

The affected vendor is Secureage, with the product CatchPulse. Remotely Exploit: No, an attack must be approached locally.

Associated Weaknesses

CVE-2026-15506 is associated with:

  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-122: Heap-based Buffer Overflow

Common Attack Patterns

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which include:

  • CAPEC-8: Buffer Overflow in an API Call
  • CAPEC-9: Buffer Overflow in Local Command-Line Utilities
  • CAPEC-10: Buffer Overflow via Environment Variables
  • CAPEC-14: Client-side Injection-induced Buffer Overflow
  • CAPEC-24: Filter Failure through Buffer Overflow

Remediation

To remediate this memory corruption vulnerability, users should update SecureAge CatchPulse to version 10.9.4 or later. This involves applying vendor-provided security patches and restricting local access to the driver component.

Read full article

This post is licensed under CC BY 4.0 by the author.