CVE-2026-40936 · Siemens Solid Edge / PS/IGES Parasolid Translator out-of-bounds read via crafted IGS files

01 · The Real Story

This is a booby-trapped blueprint, not an internet-facing front door

I could not find an authoritative record for CVE-2026-40936. All authoritative hits converge on CVE-2025-40936, a Siemens out-of-bounds read in the PS/IGES Parasolid Translator Component that is also called out in Solid Edge advisories. Siemens says the affected ranges are PS/IGES Parasolid Translator Component < V29.0.258 and Solid Edge < V226.00 Update 03; the bug is triggered when a user opens a specially crafted IGS file, causing a crash or possible code execution in the current process.

If this is the issue your tooling meant, the raw vendor impact is high, but the *operational* risk is lower than that label suggests. This is not unauthenticated network reachability; it is a local file-parsing bug with required user interaction, on a specialized engineering desktop population, with no KEV listing, no public PoC located, and very low EPSS. For a patch team managing thousands of endpoints, that makes this a MEDIUM patching problem unless you have a large Siemens CAD estate that routinely ingests external design files.

"Likely a typo for CVE-2025-40936; the real risk is a user-opened CAD file trap, not a mass-exploitation emergency."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Build a malicious IGS lure

The attacker needs a specially crafted IGS file that exercises the translator's out-of-bounds read condition. In practice this is a custom malformed geometry file, likely built with a file fuzzer or by hand from format knowledge; ZDI ties the bug to ZDI-CAN-26755.

Conditions required:

Attacker understands or can fuzz the IGS parsing path
Target uses Siemens software that embeds the vulnerable translator

Where this breaks in practice:

No public exploit repository or turnkey PoC was located
Turning a parser crash into reliable code execution on a modern Windows endpoint is materially harder than causing a DoS

Detection/coverage: Commodity vuln scanners are weak here; this is better covered by software inventory plus threat detection around suspicious IGS delivery.

STEP 02

Land the file on an engineer workstation

The usual delivery path is phishing, supplier file exchange, shared drives, PLM portals, or a download page. The attacker must reach a user who actually opens CAD exchange files, not just any employee.

Conditions required:

Access to the victim's email, collaboration channel, file share, or supplier workflow
A target user who works with external CAD/IGS content

Where this breaks in practice:

This is a niche user population, not your whole estate
Email security, browser protections, sandboxing, and user skepticism all cut delivery success

Detection/coverage: Email gateway detonation and web sandboxing may flag malformed attachments, but coverage is inconsistent for niche CAD formats.

STEP 03

Trigger the parser

Exploitation requires the victim to open the IGS file in an affected application or workflow that invokes the vulnerable translator. Siemens' own language is explicit: the user must be tricked into opening the malicious file.

Conditions required:

Victim opens the file or visits content that causes the file to be processed
Installed version is below the fixed level

Where this breaks in practice:

Requires human action, which sharply reduces scale and reliability
Many enterprises restrict external CAD imports to dedicated workflows or isolated engineering VMs

Detection/coverage: EDR can often see child process anomalies, crash signatures, or exploit mitigations firing, but won't label this CVE by name.

STEP 04

Crash or gain user-context execution

Best case for the attacker is code execution in the context of the current process; worst case for the defender is compromise of an engineering workstation handling sensitive IP. In many real deployments, though, the more reliable outcome is an application crash rather than stable RCE.

Conditions required:

Successful memory corruption beyond a mere crash
User context has access to valuable local or network design data

Where this breaks in practice:

No evidence of in-the-wild exploitation was found
User-context execution contains less blast radius than a server-side or SYSTEM-level bug

Detection/coverage: Look for application crash telemetry, EDR exploit prevention alerts, and unusual access to engineering file shares after IGS opens.

03 · Intelligence Metadata

The supporting signals.

Record reality	I found no authoritative record for `CVE-2026-40936`. Authoritative vendor/CNA material points to `CVE-2025-40936` instead.
Closest authoritative match	Siemens advisories SSA-241605 and SSA-445819 describe the issue.
In-the-wild status	Not KEV-listed and no public exploitation evidence found. OpenCVE also shows CISA ADP enrichment with exploitation marked none.
Public PoC / writeup	I found no public PoC repo. Public discussion is limited to vendor/NVD/GitHub mirrors and ZDI-25-1042.
EPSS	OpenCVE reports EPSS 0.0002 — about 0.02%, which is very low for broad attacker interest.
KEV status	Not present in the CISA KEV Catalog.
CVSS vector on the closest match	Siemens CNA score: 7.8 / HIGH with `CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Translation: local attack + user interaction required.
Affected versions	PS/IGES Parasolid Translator Component < `V29.0.258` and Solid Edge < `V226.00 Update 03`.
Fixed versions	Upgrade to `V29.0.258` for the translator component and `V226.00 Update 03` or later for Solid Edge.
Exposure reality	This is not an internet-facing server class issue. Shodan/Censys-style internet exposure data is largely irrelevant because the reachable surface is an engineering endpoint opening a file.
Disclosure / researcher	Siemens first published the component advisory on 2025-11-17; Solid Edge was added on 2026-02-10. ZDI credits Rocco Calvi (@TecR0c) with TecSecurity.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.4/10)

The decisive down-pressure is required user interaction on a specialized engineering endpoint, which turns this from a broadly reachable exploit into a targeted file-delivery problem. Even if code execution is possible, the reachable population and blast radius are far narrower than a network-exposed service flaw.

HIGH Exploit chain for the likely intended issue requires a victim to process a malicious `IGS` file

MEDIUM Mapping from requested `CVE-2026-40936` to likely intended `CVE-2025-40936`

Why this verdict

Identifier mismatch matters: there is no authoritative record for CVE-2026-40936; this is an initial assessment of the likely intended Siemens issue, not a comparison against a baseline.
User-opened file requirement cuts severity: the attacker needs delivery plus a human open action, which modern email security, web filtering, and user behavior often interrupt before exploit code ever runs.
Population and blast radius are narrow: affected software lives on engineering workstations, not on internet-facing servers, and compromise typically lands in the current user context rather than domain-wide by default.

Why not higher?

I did not find KEV status, exploitation evidence, or a public PoC. More importantly, the chain is not unauthenticated remote exploitation; it depends on a malicious file reaching a user who actually handles IGS content and then being opened in a vulnerable app.

Why not lower?

This still carries plausible code execution impact on high-value engineering endpoints that often store sensitive design IP and connect to shared repositories. Supplier and partner file exchange is a realistic delivery channel, so this is not just theoretical crash-only noise.

05 · Compensating Control

What to do — in priority order.

Gate external IGS files — Route externally sourced IGS attachments and downloads for detonation or manual approval before they reach engineering users. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control is worth deploying now if your CAD teams regularly exchange files with suppliers.
Isolate engineering workstations — Keep Solid Edge and related CAD endpoints in a tighter policy zone with stronger EDR, reduced local admin, and limited access to sensitive file shares. There is no mitigation SLA here, so apply this selectively where the business actually processes third-party design files while you work the remediation window.
Hunt for risky file-open patterns — Alert on IGS files opened directly from email temp paths, browser download folders, Teams/SharePoint sync folders, or untrusted SMB locations. This is a high-signal compensating control for engineering populations because it focuses on the actual exploitation path instead of generic CVE noise.
Restrict untrusted child-process behavior — Use EDR exploit prevention, ASR-style rules, or application control to suppress suspicious child processes and post-exploitation behavior from CAD applications. That will not fix the parser, but it can reduce the chance that a file-open becomes durable user-context compromise during the remediation window.

What doesn't work

A perimeter WAF does nothing here because the exploit path is a local file parser, not an exposed web endpoint.
A network vulnerability scan will mostly miss this because the condition is triggered by opening a crafted IGS file, not by probing a listening service.
Generic firewall rules are weak mitigation; they may help contain post-exploitation, but they do not stop a user from opening the malicious file in the first place.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint that may have Siemens Solid Edge installed, or push it remotely with your endpoint tooling. Invoke it as powershell -ExecutionPolicy Bypass -File .\check-solidedge-cve-2025-40936.ps1; standard user rights are usually enough for a local check, though remote collection may require admin depending on your tooling.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-solidedge-cve-2025-40936.ps1

# Detects likely exposure to the Siemens Solid Edge issue commonly published as CVE-2025-40936.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $items = @()
    foreach ($p in $paths) {
        try {
            $items += Get-ItemProperty -Path $p -ErrorAction SilentlyContinue | Where-Object {
                $_.DisplayName -match 'Solid Edge'
            }
        } catch {}
    }
    return $items
}

function Parse-SolidEdgeVersion {
    param([string]$VersionString)

    if ([string]::IsNullOrWhiteSpace($VersionString)) { return $null }

    $major = $null
    $minor = 0
    $update = 0

    if ($VersionString -match '(?i)V?(\d+)(?:\.(\d+))?') {
        $major = [int]$matches[1]
        if ($matches[2]) { $minor = [int]$matches[2] }
    }

    if ($VersionString -match '(?i)Update\s*(\d+)') {
        $update = [int]$matches[1]
    } elseif ($VersionString -match '^(\d+)\.(\d+)\.(\d+)$') {
        $major = [int]$matches[1]
        $minor = [int]$matches[2]
        $update = [int]$matches[3]
    }

    if ($null -eq $major) { return $null }

    [PSCustomObject]@{
        Raw    = $VersionString
        Major  = $major
        Minor  = $minor
        Update = $update
    }
}

function Compare-ToFixedVersion {
    param($Parsed)

    # Fixed vendor version: V226.00 Update 03

    if ($Parsed.Major -lt 226) { return 'VULNERABLE' }
    if ($Parsed.Major -gt 226) { return 'PATCHED' }

    # Major == 226

    if ($Parsed.Minor -lt 0) { return 'VULNERABLE' }
    if ($Parsed.Minor -gt 0) { return 'PATCHED' }

    if ($Parsed.Update -lt 3) { return 'VULNERABLE' }
    return 'PATCHED'
}

try {
    $entries = Get-UninstallEntries

    if (-not $entries -or $entries.Count -eq 0) {
        Write-Output 'UNKNOWN - Solid Edge not found in uninstall registry paths'
        exit 2
    }

    $best = $entries | Sort-Object -Property DisplayVersion -Descending | Select-Object -First 1
    $parsed = Parse-SolidEdgeVersion -VersionString $best.DisplayVersion

    if ($null -eq $parsed) {
        Write-Output ('UNKNOWN - Found Solid Edge but could not parse version string: ' + $best.DisplayVersion)
        exit 2
    }

    $result = Compare-ToFixedVersion -Parsed $parsed

    if ($result -eq 'VULNERABLE') {
        Write-Output ('VULNERABLE - Solid Edge version appears below V226.00 Update 03 (' + $parsed.Raw + ')')
        exit 1
    }

    Write-Output ('PATCHED - Solid Edge version appears at or above V226.00 Update 03 (' + $parsed.Raw + ')')
    exit 0
}
catch {
    Write-Output ('UNKNOWN - Error during check: ' + $_.Exception.Message)
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first, clean up the identifier problem in your VM data — I found no authoritative CVE-2026-40936, and the likely intended issue is Siemens CVE-2025-40936. If that mapping is correct, treat it as MEDIUM: there is no noisgate mitigation SLA — go straight to the 365-day remediation window for the actual patch, while selectively applying file-handling controls on engineering endpoints that ingest third-party IGS content. Prioritize software inventory on Solid Edge and Parasolid translator users now, then complete vendor patching inside the noisgate remediation SLA of ≤365 days unless your environment has a concentrated high-value engineering population or risky supplier file flows, in which case pull it forward operationally.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.