Invalid Input Validation Vulnerabilities in NI-PAL

NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. Refer to the Affected Products section for information on upgrading these products.   

NI-PAL is a common component in many NI drivers. You only need to upgrade one NI driver that includes this component or install the patch once per machine. The patch is backwards compatible with previous versions of NI software. 

This vulnerability affects NI-PAL 26.3.0 and prior versions. To determine the version of NI-PAL installed, follow the instructions for your operating system. 

Windows

Identify Installed NI-PAL Version

1. Navigate to %WinDir%\system32\drivers folder.
2. Find the file nipalk.sys. Right-click on the file and select Properties.  
3. In the Properties window, navigate to the Details tab. Note the version listed in the Product Version field.
4. If the NI-PAL version is 26.3.0 or prior, install the patch for Windows.

Linux Desktop

Identify Installed NI-PAL Version 

• Use your distribution’s package manager to view the version of the ni-pal package
  

OR

• Execute the following command to report the version of the loaded NI-PAL kernel module: 
  dkms status | grep nipalk

If the NI-PAL version is 26.3.0 or prior, upgrade the NI driver version.

Upgrade for Linux

1. Install NI Linux Device Drivers 2026 Q2 per the standard instructions
2. Install the latest updates from a terminal prompt 

• Ubuntu 
  • sudo apt-get update && sudo apt-get upgrade

• Red Hat Enterprise Linux  
  • sudo dnf upgrade/span>

• openSUSE Leap 
  • sudo zypper refresh && sudo zypper update

NI Linux Real-Time 

1. Install NI Linux RT System Image 2026 Q2 on the host
2. Apply Linux RT System Image 2026 Q2 to the target
3. Install the latest updates. From a host terminal prompt: 

• ssh <username>@<target hostname or address> 

• Enter target credentials if necessary

• At the ssh session prompt: 
  • sudo opkg update && sudo opkg upgrade 'ni-pal'

• CVE-2026-8035 - 7.1 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
• CVE-2026-8035 – 6.9 - CVSS:4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

• CVE-2026-8036 - 7.1 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
• CVE-2026-8036 – 8.4 - CVSS:4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

NI Update Service is a Windows utility that checks for and delivers updates for NI software and drivers, including security updates. It can be used to manually check for updates, configured to periodically check and notify users, or to automatically download and install updates at a scheduled time.

Some mitigations in this advisory are delivered through NI Update Service. NI recommends upgrading to NI Update Service 2026 Q1 or later to get the latest updates. NI Update Service can be installed on its own and is backwards compatible with older NI software.

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

NI would like to thank Patrick Saif (@weezerOSINT) for reporting this issue and working with us on coordinated disclosure. 

• CVE-2026-8035 - National Vulnerability Database
• CWE-476 – NULL Pointer Dereference
• CVE-2026-8036 - National Vulnerability Database
• CWE-1285 – Improper Validation of Specified Index, Position, or Offset in Input