CVE-2026-0954

High

Published: 13 March 2026

Published

13 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0954 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Ni Dasylab. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like the out-of-bounds write in Digilent DASYLab by applying vendor-provided security updates.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR and DEP to mitigate exploitation of memory corruption vulnerabilities from malformed DSB files.

SI-10 Information Input Validation partial match

prevent

Enforces validation of file inputs like DSB files to block malformed data that could trigger out-of-bounds writes.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in DSB file parser enables RCE when user opens malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted DSB file in Digilent DASYLab. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user…

to open a specially crafted .DSB file. This vulnerability affects all versions of Digilent DASYLab.

Deeper analysisAI

CVE-2026-0954 is a memory corruption vulnerability stemming from an out-of-bounds write that occurs when Digilent DASYLab loads a corrupted DSB file. This flaw affects all versions of Digilent DASYLab and is classified under CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact potential on confidentiality, integrity, and availability.

Exploitation requires an attacker to entice a user into opening a specially crafted .DSB file within Digilent DASYLab. As a local attack vector with no privileges needed but user interaction required, it can lead to information disclosure or arbitrary code execution on the affected system.

The National Instruments (NI) security advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/out-of-bounds-write-vulnerabilities-in-digilent-dasylab.html details this out-of-bounds write vulnerability in Digilent DASYLab and provides information on available critical and security updates.