Memory Corruption and Deserialization Vulnerabilities in DASYLab
Created Jun 09, 2026
Overview
There are multiple vulnerabilities related to improper validation and unsafe data handling when parsing DSB files in DASYLab that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted DSB file, and these vulnerabilities affect all versions of DASYLab.
This advisory covers CVE-2025-9188, CVE-2025-57774, CVE-2025-57775, CVE-2025-57776, and CVE-2025-57777.
Contents
- Mitigation Guidance
- Affected Products
- CVSS Score
- Further Information
- Acknowledgements
- Additional Resources
Mitigation Guidance
Update to the current version of DASYLab. For older versions: There are no fixes available for these issues in the referenced advisories. Always: Avoid opening files from untrusted sources.
Affected Products
|
Product Version |
Mitigation |
|
DASYLab – all versions before 2026.0 |
Avoid opening untrusted DSB files |
|
DASYLab 2026.0 |
Not affected |
CVSS Score
- CVE-2025-9188 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVE-2025-9188 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVE-2025-57774 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVE-2025-57774 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVE-2025-57775 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVE-2025-57775 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVE-2025-57776 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVE-2025-57776 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- CVE-2025-57777 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVE-2025-57777 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Further Information
CVE-2025-9188 is a deserialization of untrusted data vulnerability in Digilent DASYLab that may result in arbitrary code execution.
CVE-2025-57774 is an out-of-bounds write vulnerability in DSB file parsing caused by lack of proper validation of user-supplied data, resulting in a write past the end of an allocated data structure.
CVE-2025-57775 is a heap-based buffer overflow in DSB file parsing caused by lack of proper validation of the length of user-supplied data before copying it into a heap-based buffer.
CVE-2025-57776 is an out-of-bounds write vulnerability in DSB file parsing caused by improper validation of user-supplied data, resulting in a write past the end of an allocated buffer.
CVE-2025-57777 is an out-of-bounds write vulnerability in DSB file parsing caused by improper validation of user-supplied data, resulting in a write past the end of an allocated data structure.
All five vulnerabilities can allow an attacker to execute code in the context of the current process if a user opens a malicious DSB file.
Acknowledgements
Digilent credited kimiya, working with Trend Micro Zero Day Initiative, for reporting the issue set and coordinating disclosure in the NI advisory. ZDI lists kimiya as the credited reporter for CVE-2025-57774.
Additional Resources
- [NI: Memory Corruption Vulnerabilities in Digilent DASYLab]
- [NVD: CVE-2025-9188]
- [ZDI-25-887: CVE-2025-57774]
- [ZDI-25-888: CVE-2025-57775]
- [ZDI-25-889: CVE-2025-57776]
- [ZDI-25-890: CVE-2025-57777]