CVE-2026-0954 is a vulnerability classified under CWE-787 (Out-of-bounds Write) affecting Digilent's DASYLab software. The flaw arises when the application loads a corrupted .DSB file, leading to a memory corruption condition due to writing outside the allocated buffer boundaries. This type of vulnerability can be exploited to execute arbitrary code, potentially allowing an attacker to take control of the affected system, or to disclose sensitive information stored in memory. The attack vector requires a local user to open a maliciously crafted .DSB file, which means user interaction is necessary. No privileges are required to exploit this vulnerability, and the scope is unchanged, meaning the impact is confined to the vulnerable application context. The CVSS v3.1 base score is 7.8, indicating high severity with high impact on confidentiality, integrity, and availability, and low attack complexity. The vulnerability affects all versions of DASYLab, and no patches have been released yet. While no exploits have been observed in the wild, the potential for serious damage exists, especially in environments where DASYLab is used for data acquisition, control, and automation tasks.

The vulnerability poses a significant risk to organizations using Digilent DASYLab, particularly those in industrial automation, scientific research, and engineering fields where DASYLab is commonly deployed. Exploitation could lead to arbitrary code execution, allowing attackers to gain unauthorized control over systems, manipulate data, or disrupt operations. Information disclosure could expose sensitive project data or intellectual property. Given that exploitation requires user interaction, phishing or social engineering campaigns could be used to deliver malicious .DSB files. The impact extends to confidentiality, integrity, and availability, potentially causing operational downtime, data breaches, and loss of trust. Organizations relying on DASYLab for critical infrastructure monitoring or control could face severe consequences if exploited. The lack of available patches increases exposure time, emphasizing the need for immediate mitigation.

Since no official patches are currently available, organizations should implement layered defenses. First, educate users about the risks of opening unsolicited or unexpected .DSB files, emphasizing caution with email attachments and downloads. Implement strict file handling policies, including disabling or restricting the ability to open .DSB files from untrusted sources. Use endpoint protection solutions capable of detecting anomalous behavior or memory corruption attempts related to DASYLab. Employ application whitelisting to limit execution of unauthorized files. Network segmentation can isolate systems running DASYLab to reduce lateral movement risk. Monitor logs and system behavior for signs of exploitation attempts. Regularly back up critical data and ensure recovery procedures are tested. Once patches become available, prioritize their deployment. Additionally, consider sandboxing or running DASYLab in controlled environments to limit potential damage from exploitation.