Skip to main content

V Sft CVE-2026-32929

| EUVDEUVD-2026-18106 HIGH
Out-of-bounds Read (CWE-125)
2026-04-01 jpcert GHSA-6qwr-c77w-q35g
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2026-18106
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 23:00 nvd
HIGH 8.4

DescriptionCVE.org

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!get_macro_mem_COM. Opening a crafted V7 file may lead to information disclosure from the affected product.

AnalysisAI

Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information and potentially achieve code execution when processing maliciously crafted V7 files. The vulnerability resides in the VS6ComFile!get_macro_mem_COM function and requires user interaction to open a weaponized file. No public exploit identified at time of analysis, though the local attack vector and file format parsing nature make this a realistic social engineering target for industrial control system environments.

Technical ContextAI

This vulnerability stems from an out-of-bounds read (CWE-125) in V-SFT, Fuji Electric's HMI programming software used in industrial automation environments. The flaw occurs in the VS6ComFile!get_macro_mem_COM function during parsing of V7 project files, which are proprietary file formats used to configure programmable operator interfaces. Out-of-bounds reads allow an attacker to access memory beyond allocated buffer boundaries, potentially leaking sensitive data from adjacent memory regions or triggering further exploitation primitives. The CVSS 4.0 vector indicates this is a local attack (AV:L) requiring user action to open a malicious file (UI:A), but requires no privileges (PR:N) and has low complexity (AC:L). The vulnerability affects cpe:2.3:a:fuji_electric_co.,_ltd._/_hakko_electronics_co.,_ltd.:v-sft:*:*:*:*:*:*:*:* through version 6.2.10.0, with impacts isolated to the vulnerable system (SC:N/SI:N/SA:N) rather than propagating to other components.

RemediationAI

Users should immediately upgrade to V-SFT version 6.2.10.1 or later as specified in the vendor security advisory available at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b. Until patching is complete, organizations should implement compensating controls including restricting V-SFT workstations from opening V7 project files from untrusted sources, implementing application whitelisting to prevent unauthorized file execution, and isolating engineering workstations from internet access and untrusted network segments. Establish procedures requiring verification of V7 file authenticity before opening, particularly files received via email or external media. Review JPCERT coordination details at https://jvn.jp/en/vu/JVNVU90448293/ for additional guidance specific to Japanese industrial control system deployments. Given the OT environment context, schedule upgrades during planned maintenance windows with appropriate safety system safeguards and validation testing of HMI configurations post-upgrade.

Share

CVE-2026-32929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy