Description
Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Published: 2026-06-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in the NI-PAL kernel driver can cause a NULL pointer dereference when a malicious local authenticated user supplies crafted input. Triggering the fault crashes the driver, resulting in a denial of service that can terminate affected applications or services.

Affected Systems

NI’s NI‑PAL product is the target, with versions 26.3.0 and earlier affected on both Windows and Linux operating systems.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk level. EPSS data is not available and the vulnerability is not listed in CISA KEV, implying limited public exploitation. The attack vector is local only and requires an authenticated user with privileges that allow interacting with the NI‑PAL driver, such as a system administrator or a user with install rights. Given these constraints, the likelihood of widespread exploitation is low, but the impact for systems running vulnerable versions can be disruptive.

Generated by OpenCVE AI on June 3, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NI‑PAL to the latest release (26.3.1 or newer) as distributed in NI’s 2026 update advisory.
  • Restrict installation and execution of NI‑PAL to trusted administrators by removing the driver from systems where it is not required.
  • Apply least‑privilege permissions on the driver files and directories so that only authorized users can load or manipulate NI‑PAL modules.

Generated by OpenCVE AI on June 3, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Title NULL pointer dereference in NI-PAL
First Time appeared Ni
Ni ni-pal
Weaknesses CWE-476
CPEs cpe:2.3:a:ni:ni-pal:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni ni-pal
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ni Ni-pal
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-02T17:22:07.870Z

Reserved: 2026-05-06T13:33:43.142Z

Link: CVE-2026-8035

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:41.213

Modified: 2026-06-02T20:16:41.213

Link: CVE-2026-8035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses