CVE-2026-32927 identifies an out-of-bounds read vulnerability in the V-SFT software developed by FUJI ELECTRIC CO., LTD. and Hakko Electronics Co., Ltd., specifically in versions 6.2.10.0 and earlier. The vulnerability resides in the function VS6MemInIF!set_temp_type_default, which improperly handles memory boundaries when processing V7 files. An attacker can craft a malicious V7 file that, when opened by the vulnerable V-SFT application, triggers an out-of-bounds read condition. This leads to unauthorized disclosure of memory contents, potentially exposing sensitive information such as internal program data, credentials, or other critical information stored in memory. The vulnerability has a CVSS 3.1 base score of 7.8, indicating high severity, with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This means the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the potential for information leakage and system compromise. V-SFT is used in industrial automation and control systems, making this vulnerability particularly concerning for critical infrastructure environments. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

The vulnerability can lead to severe information disclosure, allowing attackers to read sensitive memory areas that could contain proprietary data, credentials, or control logic. This compromises confidentiality and may enable further attacks such as privilege escalation or unauthorized control of industrial processes. The integrity of the system is also at risk since attackers could manipulate or infer internal states, potentially disrupting operations. Availability impact is high because exploitation could cause crashes or unstable behavior in critical industrial control software. Organizations relying on V-SFT for automation and control may face operational disruptions, intellectual property theft, and safety hazards. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised endpoints could leverage this vulnerability. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once details become widely known.

Organizations should immediately identify all instances of V-SFT version 6.2.10.0 and earlier within their environment. Since no patches are currently available, implement strict access controls to limit local access to trusted users only. Employ application whitelisting and endpoint protection to prevent opening untrusted or unsolicited V7 files. Educate users about the risks of opening files from unknown or unverified sources. Monitor systems for unusual activity or crashes related to V-SFT processes. Network segmentation should isolate industrial control systems running V-SFT from general IT networks to reduce exposure. Consider deploying host-based intrusion detection systems (HIDS) to detect anomalous memory access or application behavior. Maintain regular backups and incident response plans tailored for industrial environments. Stay alert for vendor updates or patches and apply them promptly once released. Engage with FUJI ELECTRIC and Hakko Electronics for official remediation guidance.