Skip to main content

Proteus CVE-2026-5494

| EUVDEUVD-2026-21668 HIGH
Out-of-bounds Write (CWE-787)
2026-04-11 zdi GHSA-jf3r-4gcm-wq9g
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21668
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:13 nvd
HIGH 7.8

DescriptionCVE.org

Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25719.

AnalysisAI

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution with high integrity impact. Exploitation requires user interaction (opening malicious PDSPRJ file or visiting attacker-controlled page). Insufficient input validation during PDSPRJ processing allows buffer overflow, writing arbitrary data beyond allocated memory boundaries. Successful exploitation grants attacker code execution in application context with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

Technical ContextAI

CWE-787 out-of-bounds write stems from absent bounds checking on user-supplied data within PDSPRJ file parser. Heap or stack buffer overflow occurs when malformed file triggers write operation exceeding allocated buffer size. CVSS vector AV:L indicates local attack vector despite remote delivery, as file must execute locally after social engineering delivery.

RemediationAI

No vendor-released patch identified at time of analysis per available intelligence. Until Labcenter Electronics issues security update, implement defense-in-depth controls: (1) restrict PDSPRJ file sources to trusted repositories only, (2) deploy application sandboxing or virtualization for Proteus execution, (3) enforce least-privilege user contexts, (4) implement email attachment filtering blocking unsolicited PDSPRJ files, (5) disable automatic file preview features. Monitor Zero Day Initiative advisory for vendor coordination updates: https://www.zerodayinitiative.com/advisories/ZDI-26-256/. Organizations should contact Labcenter Electronics support directly to request patch timeline and interim guidance.

Share

CVE-2026-5494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy