Digilent DASYLab DSA File Parsing Flaw Allows Remote Code Execution via Out-of-Bounds Read
CVE-2026-0955, an out-of-bounds read vulnerability in Digilent DASYLab's DSA file parsing, could allow remote attackers to execute arbitrary code by tricking users into opening a malicious file.
A critical vulnerability in Digilent DASYLab, tracked as CVE-2026-0955, could allow remote attackers to execute arbitrary code on affected installations. The flaw, disclosed by Zero Day Initiative as ZDI-26-233, resides in the parsing of DSA files and stems from an out-of-bounds read condition. With a CVSS score of 7.8, the vulnerability requires user interaction — the target must visit a malicious page or open a specially crafted file — but successful exploitation grants code execution in the context of the current process.
The specific issue lies in the lack of proper validation of user-supplied data during DSA file parsing. This oversight can result in a read past the end of an allocated data structure, enabling an attacker to corrupt memory and hijack execution flow. The vulnerability was reported to Digilent on December 9, 2025, by researcher Rocco Calvi (@TecR0c) of TecSecurity, and a coordinated public advisory was released on March 30, 2026.
Digilent has issued a security update to address the vulnerability. Users are urged to apply the patch immediately, available through the vendor's advisory page at NI's support site. The update corrects the out-of-bounds read flaw, closing the attack vector for remote code execution.
The impact of CVE-2026-0955 is significant for organizations relying on Digilent DASYLab for data acquisition and analysis. DASYLab is widely used in engineering, research, and industrial environments for creating measurement and control applications. An attacker who successfully exploits this vulnerability could gain the same privileges as the logged-on user, potentially leading to data theft, system compromise, or lateral movement within a network.
This vulnerability highlights the ongoing risks associated with file parsing in specialized software. Out-of-bounds read flaws are a common class of memory corruption bugs, often exploited in targeted attacks against high-value sectors such as manufacturing, energy, and academia. The requirement for user interaction — opening a malicious file — makes phishing campaigns a likely delivery vector.
Digilent's prompt response in releasing a patch within approximately three months of the initial report demonstrates responsible disclosure in action. However, the onus remains on users and administrators to apply the update swiftly. Given the CVSS score of 7.8 and the potential for code execution, this vulnerability should be prioritized for remediation in environments where DASYLab is deployed.
As of the advisory date, there is no public evidence of active exploitation in the wild. Nonetheless, the availability of detailed technical information in the advisory could enable threat actors to develop exploits. Organizations should monitor for unusual file activity and ensure that users are trained to avoid opening unsolicited files or links, especially those related to DASYLab projects.