CVE-2026-0955
Published: 13 March 2026
Summary
CVE-2026-0955 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ni Dasylab. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the out-of-bounds read vulnerability by requiring timely application of vendor patches as detailed in the NI security advisory.
Implements memory safety mechanisms like ASLR and DEP to protect against exploitation of memory corruption vulnerabilities such as out-of-bounds reads leading to code execution.
Validates and sanitizes file inputs before processing in DASYLab to block specially crafted corrupted files from triggering the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in client application enables arbitrary code execution when user opens malicious file (T1204.002), directly mapping to Exploitation for Client Execution (T1203).
NVD Description
There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to…
more
open a specially crafted file. This vulnerability affects all versions of Digilent DASYLab.
Deeper analysisAI
CVE-2026-0955 is a memory corruption vulnerability stemming from an out-of-bounds read (CWE-125) in Digilent DASYLab, occurring when loading a corrupted file. This flaw affects all versions of the software and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Successful exploitation could lead to information disclosure or arbitrary code execution.
The vulnerability can be exploited by an attacker with local access who tricks a user into opening a specially crafted file within Digilent DASYLab. No privileges are required on the part of the attacker, but user interaction is necessary, making it a socially engineered local attack vector. Upon exploitation, an attacker could achieve high-impact confidentiality, integrity, and availability violations, potentially compromising the affected system.
The National Instruments (NI) security advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/out-of-bounds-read-vulnerabilities-in-digilent-dasylab.html details available critical and security updates for addressing out-of-bounds read vulnerabilities in Digilent DASYLab. Security practitioners should consult this reference for patch information and mitigation guidance.
Details
- CWE(s)