Digilent DASYLab DSA File Parsing Flaw Allows Remote Code Execution via Malicious Files
A high-severity out-of-bounds read vulnerability in Digilent DASYLab (CVE-2026-0956) allows remote code execution when users open specially crafted DSA files.
A critical vulnerability has been disclosed in Digilent DASYLab, a data acquisition and analysis software widely used in engineering and scientific environments. Tracked as CVE-2026-0956 and assigned a CVSS score of 7.8, the flaw resides in the parsing of DSA files, where improper validation of user-supplied data can lead to an out-of-bounds read condition. An attacker can exploit this by convincing a user to open a malicious DSA file, resulting in remote code execution within the context of the current process.
The vulnerability was reported to Digilent by researcher Rocco Calvi (@TecR0c) of TecSecurity on December 9, 2025, and was publicly disclosed on March 30, 2026, through the Zero Day Initiative (ZDI) advisory ZDI-26-234. The issue stems from a lack of proper bounds checking when parsing DSA file data, allowing an attacker to read past the end of an allocated data structure. This memory corruption can be leveraged to execute arbitrary code, potentially giving an attacker full control over the affected system.
Digilent has released a security update to address the vulnerability. Users are strongly advised to apply the patch immediately. The update is available through the National Instruments support portal at this link. The advisory notes that user interaction is required for exploitation, as the target must visit a malicious page or open a malicious file. This makes phishing campaigns a likely vector for attackers.
The impact of this vulnerability is significant for organizations relying on DASYLab for data acquisition and analysis in industrial, research, and educational settings. Successful exploitation could allow an attacker to execute code with the privileges of the logged-in user, potentially leading to data theft, system compromise, or further lateral movement within a network. Given the high CVSS score and the availability of a patch, immediate action is recommended.
This disclosure follows a trend of file-parsing vulnerabilities in engineering and scientific software, which are often targeted due to their use in critical infrastructure and research environments. The coordinated disclosure process between ZDI, Digilent, and the researcher highlights the importance of responsible vulnerability reporting. Users should ensure they are running the latest version of DASYLab and exercise caution when opening DSA files from untrusted sources.