Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system.
AnalysisAI
Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.
Technical ContextAI
MACH HiDraw is an industrial engineering drawing and HMI configuration application developed by Hitachi Energy, identified via CPE cpe:2.3:a:hitachi_energy:mach_hidraw:*:*:*:*:*:*:*:*. The vulnerability is rooted in CWE-122 (Heap-based Buffer Overflow): the application's XML parser fails to enforce proper bounds checking when reading XML element data into heap-allocated buffers. When a maliciously crafted XML file provides data exceeding the expected buffer size, the write operation extends past the allocated heap region, corrupting adjacent memory structures. This class of flaw can destabilize allocator metadata, cause deterministic crashes, or - under specific heap layout conditions - enable control-flow hijacking for code execution. The CVSS 4.0 vector's AT:P (attack requirements present) field indicates that specific runtime preconditions beyond mere file delivery must be met for successful exploitation, consistent with the inherent unpredictability of heap corruption primitives.
RemediationAI
The primary remediation is to upgrade MACH HiDraw to version 9.22 or later, which is confirmed as the fixed release per the vendor advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000248&LanguageCode=en&DocumentPartId=&Action=Launch. For environments where immediate patching is not feasible, compensating controls should focus on restricting the XML file import workflow: enforce operating system-level file access controls (ACLs) to prevent untrusted or external XML files from being accessible to MACH HiDraw processes, and implement application whitelisting or file integrity monitoring to ensure only known-good XML assets can be opened by the application. Additionally, limit MACH HiDraw access to the minimum set of users who require it, reducing the pool of potential low-privileged attackers. Note that restricting XML file access will directly impact legitimate HiDraw drawing import and configuration workflows and should be coordinated with operational stakeholders. Patch availability per vendor is confirmed; the exact patched version (9.22) is confirmed via EUVD data.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31812
GHSA-jj2v-35pf-65rw