Memory Corruption and Deserialization Vulnerabilities in DASYLab

Created Jun 09, 2026

Overview

There are multiple vulnerabilities related to improper validation and unsafe data handling when parsing DSB files in DASYLab that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted DSB file, and these vulnerabilities affect all versions of DASYLab.

This advisory covers CVE-2025-9188, CVE-2025-57774, CVE-2025-57775, CVE-2025-57776, and CVE-2025-57777.

Contents

• Mitigation Guidance
• Affected Products
• CVSS Score
• Further Information
• Acknowledgements
• Additional Resources

Mitigation Guidance

Update to the current version of DASYLab. For older versions: There are no fixes available for these issues in the referenced advisories. Always: Avoid opening files from untrusted sources.

Affected Products

Product Version	Mitigation
DASYLab – all versions before 2026.0	Avoid opening untrusted DSB files
DASYLab 2026.0	Not affected

CVSS Score

• CVE-2025-9188 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVE-2025-9188 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

• CVE-2025-57774 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVE-2025-57774 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

• CVE-2025-57775 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVE-2025-57775 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

• CVE-2025-57776 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVE-2025-57776 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

• CVE-2025-57777 – 7.8 (CVSS 3.1), AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• CVE-2025-57777 – 8.5 (CVSS 4.0), AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Further Information

CVE-2025-9188 is a deserialization of untrusted data vulnerability in Digilent DASYLab that may result in arbitrary code execution.

CVE-2025-57774 is an out-of-bounds write vulnerability in DSB file parsing caused by lack of proper validation of user-supplied data, resulting in a write past the end of an allocated data structure.

CVE-2025-57775 is a heap-based buffer overflow in DSB file parsing caused by lack of proper validation of the length of user-supplied data before copying it into a heap-based buffer.

CVE-2025-57776 is an out-of-bounds write vulnerability in DSB file parsing caused by improper validation of user-supplied data, resulting in a write past the end of an allocated buffer.

CVE-2025-57777 is an out-of-bounds write vulnerability in DSB file parsing caused by improper validation of user-supplied data, resulting in a write past the end of an allocated data structure.
All five vulnerabilities can allow an attacker to execute code in the context of the current process if a user opens a malicious DSB file.

Acknowledgements

Digilent credited kimiya, working with Trend Micro Zero Day Initiative, for reporting the issue set and coordinating disclosure in the NI advisory. ZDI lists kimiya as the credited reporter for CVE-2025-57774.

Additional Resources

• [NI: Memory Corruption Vulnerabilities in Digilent DASYLab]
• [NVD: CVE-2025-9188]
• [ZDI-25-887: CVE-2025-57774]
• [ZDI-25-888: CVE-2025-57775]
• [ZDI-25-889: CVE-2025-57776]
• [ZDI-25-890: CVE-2025-57777]