{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)", "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Solid Edge SE2026 before Update 5 is affected by two file parsing vulnerabilities that could be triggered when the application reads specially crafted files in PAR format. This could allow an attacker to crash the application or execute arbitrary code.\n\nSiemens has released a new version for Solid Edge SE2026 and recommends to update to the latest version.", "title": "Summary" }, { "category": "general", "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "title": "General Recommendations" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "productcert@siemens.com", "name": "Siemens ProductCERT", "namespace": "https://www.siemens.com" }, "references": [ { "category": "self", "summary": "SSA-921111: Two File Parsing Vulnerabilities in Solid Edge Before Version SE226 Update 5 - HTML Version", "url": "https://cert-portal.siemens.com/productcert/html/ssa-921111.html" }, { "category": "self", "summary": "SSA-921111: Two File Parsing Vulnerabilities in Solid Edge Before Version SE226 Update 5 - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-921111.json" } ], "title": "SSA-921111: Two File Parsing Vulnerabilities in Solid Edge Before Version SE226 Update 5", "tracking": { "current_release_date": "2026-05-13T00:00:00.000Z", "generator": { "engine": { "name": "Siemens ProductCERT CSAF Generator", "version": "1" } }, "id": "SSA-921111", "initial_release_date": "2026-05-12T00:00:00.000Z", "revision_history": [ { "date": "2026-05-12T00:00:00.000Z", "legacy_version": "1.0", "number": "1", "summary": "Publication Date" }, { "date": "2026-05-13T00:00:00.000Z", "legacy_version": "1.1", "number": "2", "summary": "Fixed error in title with the change from SE225 to SE226" } ], "status": "interim", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:intdot/<226.0.5", "product": { "name": "Solid Edge", "product_id": "1" } } ], "category": "product_name", "name": "Solid Edge" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-44411", "cwe": { "id": "CWE-824", "name": "Access of Uninitialized Pointer" }, "notes": [ { "category": "summary", "text": "The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V226.0 Update 5 or later version", "product_ids": [ "1" ], "url": "https://support.sw.siemens.com/product/246738425/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-44411" }, { "cve": "CVE-2026-44412", "cwe": { "id": "CWE-121", "name": "Stack-based Buffer Overflow" }, "notes": [ { "category": "summary", "text": "The affected applications contain a stack based overflow vulnerability while parsing specially crafted PAR files.\r\nThis could allow an attacker to execute code in the context of the current process.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V226.0 Update 5 or later version", "product_ids": [ "1" ], "url": "https://support.sw.siemens.com/product/246738425/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2026-44412" } ] }