Skip to main content

MACH HiDraw EUVDEUVD-2026-31812

| CVE-2026-7310 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-26 Hitachi Energy GHSA-jj2v-35pf-65rw
4.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:12 vuln.today
Patch available
May 26, 2026 - 15:01 EUVD
CVSS changed
May 26, 2026 - 14:22 NVD
4.4 (MEDIUM)
CVE Published
May 26, 2026 - 11:43 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system.

AnalysisAI

Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.

Technical ContextAI

MACH HiDraw is an industrial engineering drawing and HMI configuration application developed by Hitachi Energy, identified via CPE cpe:2.3:a:hitachi_energy:mach_hidraw:*:*:*:*:*:*:*:*. The vulnerability is rooted in CWE-122 (Heap-based Buffer Overflow): the application's XML parser fails to enforce proper bounds checking when reading XML element data into heap-allocated buffers. When a maliciously crafted XML file provides data exceeding the expected buffer size, the write operation extends past the allocated heap region, corrupting adjacent memory structures. This class of flaw can destabilize allocator metadata, cause deterministic crashes, or - under specific heap layout conditions - enable control-flow hijacking for code execution. The CVSS 4.0 vector's AT:P (attack requirements present) field indicates that specific runtime preconditions beyond mere file delivery must be met for successful exploitation, consistent with the inherent unpredictability of heap corruption primitives.

RemediationAI

The primary remediation is to upgrade MACH HiDraw to version 9.22 or later, which is confirmed as the fixed release per the vendor advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000248&LanguageCode=en&DocumentPartId=&Action=Launch. For environments where immediate patching is not feasible, compensating controls should focus on restricting the XML file import workflow: enforce operating system-level file access controls (ACLs) to prevent untrusted or external XML files from being accessible to MACH HiDraw processes, and implement application whitelisting or file integrity monitoring to ensure only known-good XML assets can be opened by the application. Additionally, limit MACH HiDraw access to the minimum set of users who require it, reducing the pool of potential low-privileged attackers. Note that restricting XML file access will directly impact legitimate HiDraw drawing import and configuration workflows and should be coordinated with operational stakeholders. Patch availability per vendor is confirmed; the exact patched version (9.22) is confirmed via EUVD data.

Share

EUVD-2026-31812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy