CVE-2026-32929 is an out-of-bounds read vulnerability identified in the V-SFT software developed by FUJI ELECTRIC CO., LTD. and Hakko Electronics Co., Ltd., specifically affecting versions 6.2.10.0 and prior. The vulnerability resides in the VS6ComFile module's get_macro_mem_COM function, which improperly handles memory when processing V7 files. An attacker can craft a malicious V7 file that, when opened by the vulnerable V-SFT application, triggers an out-of-bounds read, allowing unauthorized disclosure of memory content. This flaw can expose sensitive information residing in adjacent memory regions, potentially including credentials, configuration data, or other critical information. The vulnerability requires the victim to open a malicious file, implying user interaction is necessary, and the attack vector is local (AV:L). No privileges are required to exploit this vulnerability, increasing its risk profile. The CVSS v3.1 base score is 7.8, reflecting high severity due to its impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to organizations relying on V-SFT for industrial automation or control systems. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

The primary impact of CVE-2026-32929 is unauthorized information disclosure, which can compromise confidentiality by leaking sensitive data from the affected system's memory. This leakage could include proprietary process information, credentials, or other critical data used in industrial control environments. The vulnerability also affects integrity and availability, as the out-of-bounds read may cause application instability or crashes, potentially disrupting operational technology (OT) processes. For organizations using V-SFT in manufacturing or industrial automation, this could translate into operational downtime, loss of intellectual property, or exposure to further attacks leveraging disclosed information. Given the local attack vector and requirement for user interaction, the risk is higher in environments where users may open untrusted files or where insider threats exist. The vulnerability's high CVSS score underscores its potential to cause significant harm if exploited, especially in critical infrastructure sectors.

Organizations should immediately verify their V-SFT version and upgrade to a patched version once available from FUJI ELECTRIC CO., LTD. or Hakko Electronics Co., Ltd. In the absence of an official patch, implement strict file handling policies to prevent opening untrusted or unsolicited V7 files. Employ application whitelisting and restrict user permissions to limit the ability to execute or open files from unverified sources. Conduct user awareness training emphasizing the risks of opening unknown files, particularly in industrial environments. Network segmentation should be enforced to isolate systems running V-SFT from general user networks, reducing the likelihood of malicious file delivery. Monitor system logs and application behavior for anomalies indicative of exploitation attempts. Additionally, consider deploying endpoint detection and response (EDR) solutions capable of detecting unusual memory access patterns or crashes related to V-SFT. Collaborate with vendors for timely updates and share threat intelligence within industry groups to stay informed about emerging exploits.