Cyber Posture

CVE-2026-3094

High

Published: 04 March 2026

Published
04 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3094 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Deltaww Cncsoft-G2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of proper validation of user-supplied files during parsing that enables the out-of-bounds write and code execution.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through application of vendor patches as detailed in the Delta Electronics security advisory for this specific vulnerability.

SI-16 Memory Protection good match
prevent

Implements memory safeguards like DEP and ASLR to protect against arbitrary code execution resulting from the out-of-bounds write vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Out-of-bounds write in file parser enables arbitrary code execution triggered by opening a malicious file (T1204.002); directly matches client-side vulnerability exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

Deeper analysisAI

CVE-2026-3094 is an out-of-bounds write vulnerability (CWE-787) in Delta Electronics CNCSoft-G2, stemming from a lack of proper validation of user-supplied files during parsing. The issue allows arbitrary code execution when a malicious file is opened, as rated with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It was published on 2026-03-04.

Exploitation requires local access to the system running CNCSoft-G2, with low attack complexity and no privileges, but depends on user interaction to open a specially crafted malicious file. A successful attack enables the execution of arbitrary code in the context of the current process, potentially granting high confidentiality, integrity, and availability impacts.

Delta Electronics has published security advisory PCSA-2026-00004 detailing the vulnerability and mitigation steps, available at https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00004_CNCSoft-G2_File%20Parsing%20Out-Of-Bounds%20Write.pdf.

Details

CWE(s)
CWE-787

Affected Products

deltaww
cncsoft-g2
≤ 2.1.0.39

CVEs Like This One

CVE-2025-22881Same product: Deltaww Cncsoft-G2
CVE-2025-22880Same product: Deltaww Cncsoft-G2
CVE-2026-5726Same vendor: Deltaww
CVE-2026-1361Same vendor: Deltaww
CVE-2026-3630Same vendor: Deltaww
CVE-2026-0975Same vendor: Deltaww
CVE-2026-21327Shared CWE-787
CVE-2025-27166Shared CWE-787
CVE-2025-21131Shared CWE-787
CVE-2025-24452Shared CWE-787

References