CVE-2026-3094 Unknown Vendor CVE debrief

Who should care

OT/ICS operators, engineers, and asset owners using Delta Electronics CNCSoft-G2 or the DOPSoft component should treat this as a priority. Security teams responsible for engineering workstations or systems that open or process DPAX files should also review exposure and patch status.

Technical summary

The advisory describes an out-of-bounds write condition in CNCSoft-G2's DOPSoft component during DPAX file parsing. Affected products are those prior to version V2.1.0.39. The vendor remediation states that updating to V2.1.0.39 resolves the issue. The source advisory also includes an SSVCv2 notation dated 2026-03-04T07:00:00Z, which is timing context from the advisory, not the publication date.

Defensive priority

High. The issue is rated CVSS 7.8 (HIGH) and affects software used in industrial/engineering workflows. Prioritize version verification and patching, then apply interim handling controls for DPAX files until affected systems are updated.

Recommended defensive actions

• Inventory all Delta Electronics CNCSoft-G2 installations and confirm whether any are earlier than V2.1.0.39.
• Apply the vendor update to V2.1.0.39 from the Delta Electronics download center.
• Until systems are updated, restrict or closely review handling of DPAX files, especially untrusted files.
• Test the update in a controlled environment before rolling it into production OT or engineering systems.
• Review CISA industrial control system recommended practices for general defense-in-depth measures.

Evidence notes

This debrief is based on the supplied CISA CSAF source item for ICSA-26-064-01 and the linked Delta Electronics remediation notice. The source text explicitly states that Delta Electronics CNCSoft-G2 devices prior to V2.1.0.39 are vulnerable to an out-of-bounds write while parsing DPAX files in the DOPSoft component, and that V2.1.0.39 resolves the vulnerability. The source advisory metadata lists publication and modification on 2026-03-05T07:00:00Z.

Official resources