Skip to main content

V Sft CVE-2026-32926

| EUVDEUVD-2026-18100 HIGH
Out-of-bounds Read (CWE-125)
2026-04-01 jpcert GHSA-h298-9cph-7xc6
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2026-18100
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:58 nvd
HIGH 8.4

DescriptionCVE.org

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.

AnalysisAI

Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclose sensitive information and potentially achieve code execution when victims open maliciously crafted V7 project files. The vulnerability resides in the VS6ComFile!load_link_inf function during V7 file parsing. CVSS 8.4 reflects high confidentiality and integrity impact with low attack complexity requiring user interaction. No public exploit identified at time of analysis, though JPCERT coordination suggests targeted industrial sector awareness.

Technical ContextAI

V-SFT is Fuji Electric's supervisory control and data acquisition (SCADA) human-machine interface (HMI) development software used in industrial automation environments. The vulnerability (CWE-125: Out-of-bounds Read) occurs in the VS6ComFile module's load_link_inf function during parsing of proprietary V7 project files. Out-of-bounds read vulnerabilities allow attackers to access memory locations beyond allocated buffers, potentially exposing sensitive data structures, cryptographic keys, or memory layout information useful for ASLR bypass. The affected CPE (cpe:2.3:a:fuji_electric_co.,_ltd._/_hakko_electronics_co.,_ltd.:v-sft) indicates this is a joint product from Fuji Electric and Hakko Electronics. CVSS 4.0 vector shows local attack vector (AV:L) requiring user interaction (UI:A) but no privileges (PR:N), with high impact to confidentiality and integrity at the vulnerable component level. The JPCERT coordination suggests this affects critical infrastructure sectors where V-SFT is deployed for industrial process control.

RemediationAI

Users should immediately upgrade to V-SFT version 6.2.11.0 or later as indicated in the vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb. Until patching is complete, implement compensating controls including restricting V7 file sources to trusted vendors only, scanning project files on isolated systems before opening on production engineering workstations, and applying application whitelisting to prevent unauthorized executables. Organizations should review file handling procedures and endpoint detection capabilities on HMI engineering stations, as these systems often lack modern security controls. Consult the JPCERT coordination notice at https://jvn.jp/en/vu/JVNVU90448293/ for additional regional guidance, and coordinate upgrades during planned maintenance windows following standard operational technology change management procedures to minimize production impact.

Share

CVE-2026-32926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy