CVE-2026-23716
Published: 10 February 2026
Summary
CVE-2026-23716 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Siemens Simcenter Femap. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation including patching vulnerable Simcenter Femap and Nastran versions prior to V2512 to eliminate the out-of-bounds read vulnerability.
SI-16 implements memory protections like ASLR and DEP that mitigate arbitrary code execution from the out-of-bounds read during XDB file parsing.
SI-10 enforces input validation on XDB files to detect and reject specially crafted inputs that trigger the out-of-bounds read vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in XDB file parser directly enables arbitrary code execution when a user opens a malicious file (T1204.002).
NVD Description
A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted XDB files. This could allow an attacker to…
more
execute code in the context of the current process.
Deeper analysisAI
CVE-2026-23716 is an out-of-bounds read vulnerability (CWE-125) affecting Simcenter Femap and Simcenter Nastran in all versions prior to V2512. The flaw occurs while parsing specially crafted XDB files, which can lead to arbitrary code execution in the context of the current process. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
Exploitation requires a local attacker with no privileges (PR:N) to trick a user into opening a malicious XDB file (UI:R), as the attack vector is local (AV:L) with low complexity (AC:L). Successful exploitation allows the attacker to execute code within the application's process context, potentially compromising the system depending on user privileges and application runtime.
Siemens Security Advisory SSA-965753, available at https://cert-portal.siemens.com/productcert/html/ssa-965753.html, provides details on mitigation, including recommendations for upgrading to Simcenter Femap V2512 or later and Simcenter Nastran V2512 or later. Security practitioners should consult the advisory for full patch information and workarounds.
Details
- CWE(s)