Description
Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Published: 2026-06-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in NI-PAL allows a locally authenticated user to read or write arbitrary system memory, which can be leveraged to gain higher privileges on the host. This flaw can enable an attacker to compromise the integrity and confidentiality of the system, potentially resulting in full system takeover. The weakness is categorized as CWE-1285, representing an input validation error that permits memory access beyond intended bounds.

Affected Systems

The vulnerability affects NI-PAL version 26.3.0 and all earlier releases deployed on Microsoft Windows and Linux operating systems. These installations expose the input validation flaw to any user who can run or interact with the NI-PAL application locally.

Risk and Exploitability

With a CVSS score of 8.4, the bug is considered high severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, indicating no widely documented exploitation yet. The attack vector is local: an authenticated user with access to the NI-PAL process can trigger the input validation failure and use the resulting memory access to elevate privileges. Exploitation requires no additional network access or remote interaction, but does need local presence on the target machine.

Generated by OpenCVE AI on June 3, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NI-PAL to the latest version, which removes the corrupted input validation logic.
  • Limit local access to NI-PAL by applying least‑privilege user controls and restricting who can execute the application.
  • Audit and harden the system to ensure that only authorized personnel have local login rights, reducing the attack surface for potential privilege escalation.

Generated by OpenCVE AI on June 3, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Microsoft
Microsoft windows
Ni linux Real-time
CPEs cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:o:ni:linux_real-time:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Microsoft
Microsoft windows
Ni linux Real-time

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
Title Local privilege escalation in NI-PAL
First Time appeared Ni
Ni ni-pal
Weaknesses CWE-1285
CPEs cpe:2.3:a:ni:ni-pal:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni ni-pal
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Linux Linux Kernel
Microsoft Windows
Ni Linux Real-time Ni-pal
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-06-04T03:55:47.213Z

Reserved: 2026-05-06T13:33:43.716Z

Link: CVE-2026-8036

cve-icon Vulnrichment

Updated: 2026-06-03T14:04:21.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T20:16:41.370

Modified: 2026-06-05T15:10:35.937

Link: CVE-2026-8036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:55:26Z

Weaknesses
  • CWE-1285

    Improper Validation of Specified Index, Position, or Offset in Input