Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
AnalysisAI
Local privilege escalation in National Instruments NI-PAL versions 26.3.0 and earlier on Windows and Linux allows authenticated low-privileged users to read arbitrary system memory through improper input validation, potentially leading to full privilege escalation. CVSS 4.0 base score is 8.4 (High) reflecting the local attack vector but high confidentiality and integrity impact. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
NI-PAL is the Platform Abstraction Layer used by National Instruments software stacks (including LabVIEW, DAQmx, and other measurement/automation tooling) to mediate hardware and OS-level operations across Windows and Linux. The root cause is CWE-1285 (Improper Validation of Specified Index, Position, or Offset in Input), meaning the component accepts an index/offset/pointer value from a caller and uses it to read or address memory without sufficient bounds checks. Because PAL components frequently expose IOCTL-style interfaces, kernel drivers, or privileged user-mode services to lower-privileged callers, an unchecked offset allows the privileged side to be coerced into reading attacker-chosen kernel or process memory regions, which is the standard primitive used to leak credentials, tokens, or kernel pointers needed for full LPE. The affected CPE is cpe:2.3:a:ni:ni-pal:*:*:*:*:*:*:*:*.
RemediationAI
Patch available per vendor advisory: upgrade NI-PAL to the fixed release identified in NI's security bulletin at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/invalid-input-validation-vulnerabilities-in-ni-pal.html (an exact post-26.3.0 fixed version is not independently confirmed in the data provided, so verify the version string against the NI advisory before deployment). Because the vulnerability requires local authenticated access, compensating controls until patching is complete include restricting interactive and remote-shell logon to NI engineering workstations to a small set of trusted operators, removing local administrator rights from standard NI software users, disabling unattended/shared login sessions on lab machines, and using application allow-listing (WDAC/AppLocker on Windows, SELinux/AppArmor on Linux) to prevent untrusted binaries from invoking the NI-PAL interface; the trade-off is operational friction for technicians who normally run ad-hoc scripts against NI hardware. Monitor process creation and driver-loading telemetry on hosts running NI software for unexpected children of NI service processes as a detection backstop.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33992
GHSA-ghx9-cc3j-7qrg