Digilent DASYLab DSB File Parsing Flaw (CVE-2026-0954) Allows Remote Code Execution
A critical out-of-bounds write vulnerability in Digilent DASYLab (CVE-2026-0954) allows remote code execution via malicious DSB files, with a patch now-available patches from the vendor.
Digilent has released a security update to address CVE-2026-0954, a high-severity out-of-bounds write vulnerability in its DASYLab data acquisition software. The flaw, disclosed by the Zero Day Initiative (ZDI) on March 30, 2026, carries a CVSS score of 7.8 and can be exploited to achieve remote code execution in the context of the current process.
The vulnerability resides in the parsing of DSB files, the native project format for DASYLab. The software fails to properly validate user-supplied data when reading these files, leading to a write past the end of an allocated buffer. An attacker can trigger the vulnerability by convincing a user to open a specially crafted DSB file or visit a malicious web page that loads the file. No authentication is required, but user interaction is necessary. is used extensively in engineering, research, and industrial environments for data acquisition, signal analysis, and test automation. The software is deployed across Windows systems in laboratories, manufacturing floors, and academic institutions. While the vulnerability is not known to be actively exploited in the wild, the public disclosure of technical details increases the risk of weaponization. has issued an update to correct the vulnerability. Users are advised to apply the latest patches available from the vendor's security advisory page. The advisory also notes that the vulnerability was reported to Digilent on December 9, 2025, and the coordinated public release occurred on March 30, 2026. The credit for the discovery goes to an anonymous researcher. is the latest in a series of file-parsing vulnerabilities targeting industrial and engineering software. Similar flaws in products from Siemens, Rockwell Automation, and other vendors have been exploited in targeted attacks. The ZDI-26-236 highlights the ongoing risk posed by legacy file formats in specialized software, where input validation is often overlooked during development. should prioritize updating DASYLab installations, especially in environments where users routinely open files from external sources. Until a patch is applied, organizations can mitigate risk by restricting DSB file handling, implementing application whitelisting, and training users to avoid opening unsolicited files.