Skip to main content

Optical Disc Archive Software CVE-2026-50255

| EUVDEUVD-2026-37035 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-06-16 jpcert GHSA-cmc3-2x49-gxrr
5.4
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local vector with low privileges and required user interaction match CVSS 4.0 AV:L/PR:L/UI:P; scope unchanged as impact is confined to the vulnerable host.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (jpcert).

CVSS VectorVendor: jpcert

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 06:23 vuln.today
CVSS changed
Jun 16, 2026 - 06:22 NVD
6.7 (MEDIUM) 5.4 (MEDIUM)

DescriptionCVE.org

Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges.

AnalysisAI

Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

CWE-276 (Incorrect Default Permissions) describes a class of flaw where a software installer or runtime creates directories, files, or registry keys with access control lists (ACLs) that grant write or modify rights to non-administrative users. In the Windows ecosystem this commonly enables DLL hijacking, binary planting, or scheduled-task/service executable replacement: a low-privileged user writes a malicious payload to the insecurely permissioned path, then waits for or triggers the privileged process to load it, achieving SYSTEM execution. The affected product is identified via CPE cpe:2.3:a:sony_corporation:optical_disc_archive_software_for_windows:*:*:*:*:*:*:*:* covering versions up to and including 5.5.3 on Windows. The CVSS 4.0 vector's AT:P (Attack Target: Presence) metric signals that exploitation depends on a specific deployment condition - likely the Optical Disc Archive service or process being actively running or invoked by a privileged context.

RemediationAI

The primary remediation is to upgrade to a fixed version of Sony Optical Disc Archive Software for Windows once released; consult the Sony support page at https://www.sony.com/electronics/support/software/00403421 for the patched release version, which has not been independently confirmed in the available input data beyond the advisory reference. Until patching is possible, administrators should manually harden ACLs on the software's installation directories to restrict write and modify permissions to the SYSTEM account and local Administrators group only, preventing low-privileged users from replacing or inserting files. Running the software in environments where end users do not hold local accounts (e.g., domain environments with standard user accounts and no local admin rights) reduces exploitability, as does restricting who can log on interactively to hosts where the software is deployed. Note that ACL hardening may need to be reapplied after software updates that recreate permissive paths.

Share

CVE-2026-50255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy