Out-of-Bounds Write Vulnerabilities in Digilent DASYLab

Created Mar 11, 2026

Overview

There are two out-of-bounds write vulnerabilities when parsing user files in Digilent DASYLab that may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted DASYLab file. These vulnerabilities affect all versions of Digilent DASYLab.

These vulnerabilities are identified as CVE-2026-0954 and CVE-2026-0957.

Mitigation Guidance
Affected Products
CVSS Score
Further Information
Acknowledgements
Additional Resources

Mitigation Guidance

There are no fixes available for these issues. Digilent strongly recommends users practice good cyber awareness and avoid opening files from any untrusted source. These issues are not exploitable remotely.  

Affected Products

CVSS Score

CVE-2026-0954 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2026-0954 – 8.5 - CVSS:4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2026-0957 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2026-0957 – 8.5 - CVSS:4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

Digilent would like to thank Anonymous working with Trend Micro Zero Day Initiative for reporting CVE-2026-0954 and working with us on coordinated disclosure.

Digilent would like to thank Rocco Calvi (@TecR0c) with TecSecurity working with Trend Micro Zero Day Initiative for reporting CVE-2026-0957 and working with us on coordinated disclosure.

Additional Resources

CVE-2026-0954 - National Vulnerability Database
CVE-2026-0957 - National Vulnerability Database
CWE-787 – Out-Of-Bounds Write

Product Version	Mitigation
DASYLab – all versions	See above

Was this information helpful?

Yes