Skip to main content

Proteus CVE-2026-5495

| EUVDEUVD-2026-21670 HIGH
Out-of-bounds Write (CWE-787)
2026-04-11 zdi
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21670
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:13 nvd
HIGH 7.8

DescriptionCVE.org

Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25720.

AnalysisAI

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution when victims open crafted project files. The vulnerability stems from insufficient validation during PDSPRJ file processing, allowing buffer overflow conditions that permit arbitrary code execution with victim's privileges. Exploitation requires user interaction-opening a malicious PDSPRJ file or visiting attacker-controlled web content. CVSS 7.8 (High) reflects local attack vector with no privileges required but mandatory user interaction. No public exploit identified at time of analysis. Affects all versions per available CPE data.

Technical ContextAI

CWE-787 out-of-bounds write triggered during PDSPRJ project file deserialization. Parser writes user-controlled data beyond allocated buffer boundaries without bounds checking. Attack vector (AV:L) indicates local file operations; attacker supplies malicious PDSPRJ payload executed during file parsing routines. Memory corruption enables instruction pointer control for arbitrary code execution.

RemediationAI

No vendor-released patch identified at time of analysis. Until fixes become available, organizations should implement defensive controls: restrict PDSPRJ file sources to trusted repositories only, disable automatic file preview/parsing features, deploy application sandboxing to limit code execution scope, and enforce strict email attachment policies blocking unsolicited PDSPRJ files. Security teams should monitor Zero Day Initiative advisory ZDI-26-257 for vendor coordination updates and patch release notifications at https://www.zerodayinitiative.com/advisories/ZDI-26-257/. Consider prohibiting Proteus usage on systems processing untrusted project files until vendor addresses vulnerability. Deploy endpoint detection rules monitoring abnormal Proteus process behavior including unexpected child process creation or network connections.

Share

CVE-2026-5495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy