Skip to main content

V Sft CVE-2026-32928

| EUVDEUVD-2026-18104 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-01 jpcert GHSA-2pr9-fr5g-p8hm
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2026-18104
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:59 nvd
HIGH 8.4

DescriptionCVE.org

V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.

AnalysisAI

Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.

Technical ContextAI

V-SFT is a programming and configuration software for Fuji Electric/Hakko Electronics programmable logic controllers and human-machine interfaces used in industrial automation environments. The vulnerability exists in the VS6ComFile component's CSaveData::_conv_AnimationItem function, which handles animation data conversion when parsing V7 project files. CWE-121 (stack-based buffer overflow) occurs when the application fails to validate input length during file parsing, allowing attacker-controlled data to exceed allocated stack buffer boundaries. This classic memory corruption vulnerability can overwrite return addresses or function pointers on the stack, redirecting execution flow to attacker-supplied code. The affected CPE (cpe:2.3:a:fuji_electric_co.,_ltd._/_hakko_electronics_co.,_ltd.:v-sft) indicates this impacts industrial control system engineering workstations, creating potential supply chain risk if compromised projects are distributed to operational technology environments.

RemediationAI

Users should immediately consult the Fuji Electric vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b for patch availability and upgrade instructions, as specific remediated version numbers are not included in available vulnerability data. Until patching is completed, organizations should implement defense-in-depth controls including restricting V-SFT software to isolated engineering workstations without internet access, enforcing strict controls on V7 project file sources with mandatory scanning of files from external parties, implementing application whitelisting to prevent unauthorized code execution, and conducting security awareness training for engineers on risks of opening untrusted project files. Organizations should verify file integrity using cryptographic hashes when receiving projects from trusted partners and maintain offline backups of validated project files. The JVN advisory at https://jvn.jp/en/vu/JVNVU90448293/ may contain additional mitigation guidance specific to Japanese industrial control system environments.

Share

CVE-2026-32928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy