Skip to main content

V Sft CVE-2026-32925

| EUVDEUVD-2026-18098 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-01 jpcert GHSA-257x-mvvc-g6ff
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2026-18098
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:58 nvd
HIGH 8.4

DescriptionCVE.org

V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.

AnalysisAI

Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.

Technical ContextAI

V-SFT is industrial automation programming software from Fuji Electric/HAKKO Electronics used for configuring programmable display terminals and HMI devices. The vulnerability exists in the VS6ComFile module's CV7BaseMap::WriteV7DataToRom function, which processes V7 project files. CWE-121 (stack-based buffer overflow) indicates the software fails to validate input size when copying data to a fixed-size stack buffer during V7 file parsing. When processing attacker-controlled file content, excessive data overwrites adjacent stack memory including return addresses, enabling control flow hijacking and arbitrary code execution with the privileges of the application. This is a classic memory corruption vulnerability in file format parsing-a common attack surface in industrial control system (ICS) engineering software that processes complex proprietary file formats.

RemediationAI

Organizations should immediately consult the Fuji Electric vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb for patch availability and upgrade instructions; patch status not independently confirmed from available data but vendor acknowledgment indicates remediation planning. Until patching, implement defensive controls: restrict V-SFT workstations from internet access, prohibit opening V7 project files from untrusted sources, implement application whitelisting to prevent arbitrary code execution, and scan incoming project files with updated antivirus solutions. Use secure file transfer procedures with digital signatures when exchanging V7 files with partners. For air-gapped ICS environments, enforce USB media scanning and change control procedures for all project files introduced to the network.

Share

CVE-2026-32925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy