Cyber Resilience

CVE-2026-3094

High

Published: 04 March 2026

Published
04 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3094 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Deltaww Cncsoft-G2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3094 is an out-of-bounds write vulnerability (CWE-787) in Delta Electronics CNCSoft-G2, stemming from a lack of proper validation of user-supplied files during parsing. The issue allows arbitrary code execution when a malicious file is opened, as rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It was published on 2026-03-04.

Exploitation requires local access to the system running CNCSoft-G2, with low attack complexity and no privileges, but depends on user interaction to open a specially crafted malicious file. A successful attack enables the execution of arbitrary code in the context of the current process, potentially granting high confidentiality, integrity, and availability impacts.

Delta Electronics has published security advisory PCSA-2026-00004 detailing the vulnerability and mitigation steps, available at https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00004_CNCSoft-G2_File%20Parsing%20Out-Of-Bounds%20Write.pdf.

EU & UK References

Vulnerability details

Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds write in file parser enables arbitrary code execution triggered by opening a malicious file (T1204.002); directly matches client-side vulnerability exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22881Same product: Deltaww Cncsoft-G2
CVE-2025-22880Same product: Deltaww Cncsoft-G2
CVE-2026-1361Same vendor: Deltaww
CVE-2026-5726Same vendor: Deltaww
CVE-2026-3630Same vendor: Deltaww
CVE-2026-0975Same vendor: Deltaww
CVE-2026-27273Shared CWE-787
CVE-2026-33854Shared CWE-787
CVE-2026-27622Shared CWE-787
CVE-2026-21342Shared CWE-787

Affected Assets

deltaww
cncsoft-g2
≤ 2.1.0.39

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of proper validation of user-supplied files during parsing that enables the out-of-bounds write and code execution.

prevent

Mandates timely flaw remediation through application of vendor patches as detailed in the Delta Electronics security advisory for this specific vulnerability.

prevent

Implements memory safeguards like DEP and ASLR to protect against arbitrary code execution resulting from the out-of-bounds write vulnerability.

References