Digilent DASYLab DSA File Parsing Flaw (CVE-2026-2026-0957) Allows Remote Code Execution
A critical out-of-bounds write vulnerability in Digilent DASYLab, tracked as CVE-2026-0957, allows remote attackers to execute arbitrary code by tricking users into opening a malicious DSA file.
Digilent has released a security update to address CVE-2026-0957, a high-severity vulnerability in its DASYLab data acquisition and analysis software. The flaw, disclosed by the Zero Day Initiative (ZDI) on March 30, 2026, carries a CVSS score of 7.8 and stems from improper validation of user-supplied data during the parsing of DSA files.
The vulnerability is an out-of-bounds write issue, meaning an attacker can craft a malicious DSA file that, when opened by a user, writes data beyond the bounds of an allocated memory buffer. This memory corruption can be leveraged to achieve remote code execution in the context of the current process. Exploitation requires user interaction—the target must visit a malicious page or open a specially crafted file—making file—making it a classic targeted attack vector.
DASYLab is widely used in engineering, research, and industrial environments for data acquisition, signal processing, and test automation. The software is deployed across sectors including manufacturing, automotive, aerospace, and academia. Any organization using DASYLab to process untrusted DSA files is potentially at risk, though the need for user interaction somewhat limits the scale of automated exploitation.
The vulnerability was reported to Digilent by researcher Rocco Calvi (@TecR0c) of TecSecurity on December 9, 2025. Digilent has since issued an update to correct the flaw, with details available on National Instruments' security advisory page. Users are strongly advised to apply the patch immediately and to avoid opening DSA files from untrusted sources.
CVE-2026-0957 is the latest in a series of file-parsing vulnerabilities targeting industrial and engineering software. Similar flaws have been found in products from Siemens, Rockwell Automation, and other vendors, highlighting the persistent risk posed by legacy file formats in operational technology environments. As attackers increasingly target OT and industrial control systems, timely patching and user awareness remain critical defenses.