Description
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
Published: 2026-04-01
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

A stack-based buffer overflow occurs in the function _conv_AnimationItem within V‑SFT versions 6.2.10.0 and earlier. When a user opens a specially crafted V7 file, the overflow can trigger execution of arbitrary code running in the same context as the affected firmware. This flaw grants an attacker potential control over the device’s data, possibly allowing unauthorized modification or extraction of data and may facilitate further attacks on connected systems.

Affected Systems

The vulnerability affects V‑SFT products from Fuji Electric Co., Ltd. and Hakko Electronics Co., Ltd. specifically the V‑SFT software versions 6.2.10.0 and earlier. No later versions are listed as affected in the current advisory.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity with a large impact on confidentiality, integrity, and availability. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to deliver a crafted V7 file to the target, implying a local or remote user that can trigger file processing. If an attacker gains the necessary privilege, they could execute malicious code on the device.

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version newer than 6.2.10.0 if available
  • If no patch exists, block or disable processing of V7 files or restrict file access rights
  • Verify all firmware updates in the vendor’s advisory and install them promptly
  • Monitor the device for abnormal process activity or unexpected code execution

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title V‑SFT Stack Buffer Overflow May Enable Arbitrary Code Execution

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fujielectric:v-sft:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title V‑SFT Stack Buffer Overflow May Enable Arbitrary Code Execution
First Time appeared Fujielectric
Fujielectric v-sft
Vendors & Products Fujielectric
Fujielectric v-sft

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Fujielectric V-sft
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-02T13:32:44.120Z

Reserved: 2026-03-16T23:27:50.173Z

Link: CVE-2026-32928

cve-icon Vulnrichment

Updated: 2026-04-02T13:27:10.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T23:17:03.267

Modified: 2026-04-07T18:27:31.827

Link: CVE-2026-32928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:40Z

Weaknesses