Description
Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.
Published: 2026-03-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A buffer overrun vulnerability exists in Delta Electronics CNCSoft-G2, where the application fails to validate the contents of a user-supplied file during parsing. If a malicious file is opened, the overflow can be exploited to execute arbitrary code in the context of the current process, leading to potential full system compromise.

Affected Systems

Delta Electronics CNCSoft-G2 is affected by all versions released prior to v2.1.0.39. This includes any deployments using earlier builds of the software.

Risk and Exploitability

Based on the description, it is inferred that the attack relies on a malicious file being opened by a legitimate user. The vulnerability has a CVSS score of 7.8, indicating high severity, but its EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The attack requires the attacker to supply a malicious file that a legitimate user opens, so the primary vector is local file import rather than remote access. Although the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, it remains a significant risk for exposed systems that process untrusted files.

Generated by OpenCVE AI on April 16, 2026 at 13:41 UTC.

Remediation

Vendor Solution

Download and update to: v2.1.0.39 or later

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch to update CNCSoft‑G2 to version v2.1.0.39 or later.
  • Restrict the use of the file import feature to trusted users or disable it entirely until a patch is applied.
  • Implement strict input validation on any file content processing functions to prevent uncontrolled buffer writes, addressing the underlying buffer‑overflow weakness identified by CWE‑787.

Generated by OpenCVE AI on April 16, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.
Title File Parsing Out-Of-Bounds Write in CNCSoft-G2
First Time appeared Deltaww
Deltaww cncsoft-g2
Weaknesses CWE-787
CPEs cpe:2.3:a:deltaww:cncsoft-g2:*:*:*:*:*:*:*:*
Vendors & Products Deltaww
Deltaww cncsoft-g2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Deltaww Cncsoft-g2
cve-icon MITRE

Status: PUBLISHED

Assigner: Deltaww

Published:

Updated: 2026-03-18T05:40:54.458Z

Reserved: 2026-02-24T02:37:45.836Z

Link: CVE-2026-3094

cve-icon Vulnrichment

Updated: 2026-03-04T21:26:54.066Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T09:15:58.457

Modified: 2026-03-06T20:12:48.150

Link: CVE-2026-3094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses