CVE-2026-8035: NI-PAL Kernel Driver NULL Pointer Dereference DoS Vulnerability
CVE-2026-8035 is a denial-of-service vulnerability in National Instruments' PAL kernel driver that allows authenticated local users to crash the system. The flaw stems from inadequate input validation that fails to check for NULL pointers before dereferencing them in memory. An attacker with local system access can exploit this by supplying malformed input to the driver, causing an immediate kernel panic. The vulnerability affects NI-PAL version 26.3.0 and all earlier releases across both Windows and Linux platforms.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in improper input validation within the NI-PAL kernel driver (CWE-476: NULL Pointer Dereference). When the driver processes user-supplied input without sufficient validation, an authenticated local attacker can craft input that causes the driver to dereference a NULL pointer, triggering a kernel-level crash. The attack vector is local, requires prior authentication, and does not require user interaction. The impact is limited to availability—the system becomes unavailable until reboot, but code execution and privilege escalation are not possible through this mechanism.
Business impact
Availability disruptions caused by this vulnerability could impact production environments where NI-PAL is integrated into automation, measurement, or control systems. Manufacturing facilities, test laboratories, or embedded real-time systems relying on NI Linux Real-Time or Windows systems with PAL drivers face risk of unexpected downtime. While the vulnerability does not enable data theft or unauthorized access, the denial-of-service impact may interrupt critical operations until systems are restarted and patched.
Affected systems
This vulnerability affects NI-PAL version 26.3.0 and prior on Windows and Linux operating systems. The scope extends to systems running NI Linux Real-Time that incorporate the vulnerable driver. Any deployment where authenticated local users have access to the NI-PAL driver interface is at risk. Cross-platform exposure (Windows, Linux, and NI's real-time Linux) means both enterprise and embedded environments require attention.
Exploitability
Exploitation requires local system access with authenticated user privileges—a threat actor cannot trigger this remotely over the network. An insider, compromised local account, or user with physical access to the system could deliberately or accidentally invoke a crash by submitting malformed input to the NI-PAL driver. The attack requires no user interaction and executes reliably once triggered. While the barrier to entry is moderate (authentication required), the simplicity of the NULL pointer dereference and the predictable crash behavior make this straightforward to exploit once local access is obtained.
Remediation
Upgrade NI-PAL to the latest patched version released after 26.3.0. National Instruments has published updates addressing this input validation flaw. Verify the specific patch version against the vendor advisory and test thoroughly in a non-production environment before deploying to operational systems. In parallel, restrict local user privileges to the NI-PAL driver interface where possible through driver-level access controls or operating system security policies.
Patch guidance
Obtain the latest NI-PAL driver update from National Instruments' official download portal or update utility. The advisory will specify the minimum patched version required (verify against the vendor advisory for exact build numbers). Patch deployment should be coordinated with system downtime windows, as driver updates typically require a system restart. Test the patched driver in a staging environment with representative workloads to confirm stability and compatibility with dependent applications before rolling out to production systems. Document the patch version and deployment date for compliance and audit purposes.
Detection guidance
Monitor kernel logs and system event logs for NULL pointer dereference crashes or unexpected NI-PAL driver terminations. On Linux systems, check dmesg or journalctl for kernel panic messages mentioning the PAL driver; on Windows, examine the Event Viewer for driver fault events. Behavioral anomalies such as repeated system reboots without user initiation or unplanned availability interruptions in NI-dependent applications warrant investigation into potential exploitation. Correlate timing of crashes with authentication logs to identify whether a specific user account is triggering the condition.
Why prioritize this
Although this vulnerability carries a CVSS 3.1 score of 7.1 (HIGH severity), it should be prioritized based on your deployment model. Organizations with mission-critical NI-PAL integrations in manufacturing, test automation, or embedded real-time systems should treat it as urgent because unplanned downtime carries significant operational cost. However, organizations with limited or non-critical NI-PAL usage can address it within a standard maintenance cycle. The lack of CISA KEV listing and the requirement for authenticated local access reduce the urgency compared to unauthenticated remote code-execution flaws, but the availability impact justifies prompt attention for affected deployments.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects the combination of: (1) local attack vector requiring authentication, limiting exposure; (2) low attack complexity—NULL pointer dereferences are typically trivial to trigger once input validation is bypassed; (3) no confidentiality impact, preserving data secrecy; (4) high integrity and availability impact, as the system crash may interrupt ongoing processes and require manual intervention to restore service. The score appropriately reflects a serious but not critical threat in environments where local privileged access is already restricted or monitored.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The attack vector is strictly local (AV:L), requiring an authenticated user to have direct access to the system or physical presence. Remote network-based exploitation is not possible.
What versions of NI-PAL are vulnerable?
All versions up to and including 26.3.0 are affected. Versions released after 26.3.0 with the security patches addressed in the vendor advisory are safe. Verify the exact patched version number in the official NI advisory.
Does this vulnerability allow an attacker to steal data or gain elevated privileges?
No. The vulnerability is limited to denial of service via a kernel crash. It does not enable code execution, data exfiltration, or privilege escalation. An attacker can disrupt availability but cannot access confidential information or gain higher system permissions.
How often should I check for NI-PAL updates?
Subscribe to National Instruments security advisories or check their security notifications regularly—monthly or whenever you update other critical infrastructure drivers. For mission-critical deployments, align NI-PAL patching with your regular patch management cycle and test patches in staging before production rollout.
This analysis is provided for informational purposes based on available vulnerability data as of the publication date. Specific patch version numbers, timelines, and deployment guidance should be verified against the official National Instruments security advisory before implementing any remediation. SEC.co does not provide real-time updates; organizations should monitor vendor communications and CISA advisories for the latest security information. Testing in a non-production environment is strongly recommended before patching production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-8036HIGHNI-PAL Local Privilege Escalation via Memory Access Flaw
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability
- CVE-2026-46114HIGHLinux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service