{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32928", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-16T23:27:50.173Z", "datePublished": "2026-04-01T22:59:39.379Z", "dateUpdated": "2026-04-02T13:32:44.120Z"}, "containers": {"cna": {"affected": [{"vendor": "FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd.", "product": "V-SFT", "versions": [{"version": "6.2.10.0 and prior", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product."}], "problemTypes": [{"descriptions": [{"description": "Stack-based buffer overflow", "lang": "en-US", "cweId": "CWE-121", "type": "CWE"}]}], "references": [{"url": "https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb"}, {"url": "https://jvn.jp/en/vu/JVNVU90448293/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-01T22:59:39.379Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:27:06.639098Z", "id": "CVE-2026-32928", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:32:44.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32928", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:27:06.639098Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:27:10.936Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd.", "product": "V-SFT", "versions": [{"status": "affected", "version": "6.2.10.0 and prior"}]}], "references": [{"url": "https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb"}, {"url": "https://jvn.jp/en/vu/JVNVU90448293/"}], "descriptions": [{"lang": "en", "value": "V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-121", "description": "Stack-based buffer overflow"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-01T22:59:39.379Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32928", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:32:44.120Z", "dateReserved": "2026-03-16T23:27:50.173Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-01T22:59:39.379Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product."}], "id": "CVE-2026-32928", "lastModified": "2026-04-01T23:17:03.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-01T23:17:03.267", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/vu/JVNVU90448293/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.2.10.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "V-SFT", "source": "cna", "vendor": "FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd."}, "product": "v-sft", "vendor": "fujielectric"}], "analysis": {"en": {"generated_at": "2026-04-02T05:06:44.044883+00:00", "value": {"mitigation_remediation": ["Upgrade V\u2011SFT to a version newer than 6.2.10.0", "Contact Fuji Electric or Hakko Electronics for a patch or newer release", "Restrict or validate V7 file input to prevent execution of untrusted files"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Manufacturers Fuji Electric Co., Ltd. and Hakko Electronics Co., Ltd. supply the V\u2011SFT tool. Versions 6.2.10.0 and all earlier releases are vulnerable. Any deployment that processes V7 files with those releases is at risk.", "description_and_impact": "The V\u2011SFT application contains a stack\u2011based buffer overflow in the CSaveData::_conv_AnimationItem method. Opening a specially crafted V7 file may overwrite memory and enable execution of arbitrary code in the application\u2019s context. This flaw, classified as CWE\u2011121, can compromise the confidentiality, integrity, and availability of the affected device if exploited.", "risk_and_exploitability": "The CVSS score of 8.4 indicates high severity, while the absence of an EPSS score makes the likelihood of exploitation uncertain but significant. The likely attack vector is the delivery of a malicious V7 file that the product opens, which could be supplied remotely if the system accepts files over a network or via automated workflows, or locally if an authenticated user can access the file system. The impact of successful exploitation is arbitrary code execution, giving the attacker full control over the device."}}}}, "created": "2026-04-02T07:47:00.481084+00:00", "title": "V\u2011SFT Stack Buffer Overflow May Enable Arbitrary Code Execution", "updated": "2026-04-02T20:15:59.483675+00:00", "vendors": ["fujielectric", "fujielectric$PRODUCT$v-sft"]}