CVE-2026-8035 Overview
CVE-2026-8035 is a NULL pointer dereference vulnerability [CWE-476] in the NI-PAL kernel driver shipped by National Instruments (NI). The flaw stems from improper input validation in the driver's handling of user-supplied data. A local authenticated user can trigger the dereference and crash the host operating system, producing a denial-of-service (DoS) condition. The issue affects NI-PAL version 26.3.0 and all prior releases on both Windows and Linux platforms. Because the vulnerable code path executes in kernel space, a successful trigger results in a full system crash rather than a contained process failure.
Critical Impact
A local authenticated attacker can crash any Windows or Linux host running NI-PAL 26.3.0 or earlier, interrupting test, measurement, and automation workloads that depend on the driver.
Affected Products
- NI-PAL 26.3.0 (Windows)
- NI-PAL 26.3.0 (Linux)
- All prior versions of NI-PAL on Windows and Linux
Discovery Timeline
- 2026-06-02 - CVE-2026-8035 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-8035
Vulnerability Analysis
The NI-PAL (Platform Abstraction Layer) kernel driver fails to validate input received from user-mode callers before dereferencing pointer values. When a crafted request reaches the affected driver routine, the code path operates on a pointer that resolves to NULL. The resulting access violation occurs in kernel context and immediately halts the operating system. On Windows this produces a bug check (BSOD); on Linux it produces a kernel oops or panic depending on configuration.
The vulnerability requires local access and valid authentication, which limits the attack surface to users already present on the system. There is no confidentiality impact, but integrity and availability of the host are affected because the crash interrupts every workload on the machine. NI has published a security advisory documenting the issue and the fixed release.
Root Cause
The root cause is missing input validation [CWE-476] in a kernel-mode I/O handler. The driver accepts a value or structure from user mode and passes it through one or more dereference operations without first checking that the pointer is non-NULL or that the supplied structure fields are well-formed. Kernel drivers must treat all user-supplied data as untrusted and validate it before use, and that contract is not met in the affected code path.
Attack Vector
Exploitation requires local access with valid credentials. An authenticated user issues an IOCTL or equivalent request to the NI-PAL driver device object with malformed parameters. The driver dispatches the request, reaches the unvalidated pointer use, and crashes the kernel. No user interaction beyond the attacker's own request is required, and no elevated privileges are needed to reach the vulnerable interface. Refer to the NI Software Security Update for vendor-confirmed technical details.
Detection Methods for CVE-2026-8035
Indicators of Compromise
- Unexpected Windows bug checks referencing the NI-PAL driver module in crash dumps under %SystemRoot%\Minidump\.
- Linux kernel oops or panic entries in dmesg or /var/log/kern.log that reference NI-PAL symbols or modules.
- Repeated system crashes on hosts running NI test and measurement software shortly after a local user session begins.
Detection Strategies
- Inventory all Windows and Linux endpoints for installed NI-PAL versions and flag any instance at or below 26.3.0.
- Correlate kernel crash telemetry with the active user session at the time of the fault to identify the triggering account.
- Alert on repeated abnormal shutdowns or kernel faults on engineering, lab, or industrial automation hosts where NI-PAL is deployed.
Monitoring Recommendations
- Forward Windows System event log entries (Event IDs 41, 1001, 6008) and Linux kernel logs to a central log platform for correlation.
- Monitor IOCTL activity and device handle opens against NI-PAL device objects from non-administrative users.
- Track patch state of NI-PAL across the fleet and generate compliance reports against the fixed release.
How to Mitigate CVE-2026-8035
Immediate Actions Required
- Identify all hosts with NI-PAL 26.3.0 or earlier installed on Windows or Linux.
- Apply the fixed NI-PAL release published by National Instruments to every affected host.
- Restrict interactive and remote local logon rights on systems running NI-PAL to trusted accounts only.
- Review and reduce the set of users who can load or interact with NI test and measurement software.
Patch Information
National Instruments has published guidance and a corrected build in the NI Software Security Update. Upgrade NI-PAL to the version listed as fixed in that advisory. Verify the installed version on Windows through the NI Package Manager and on Linux through the distribution's package manager after the update.
Workarounds
- Where the affected driver is not required, uninstall NI-PAL until the patched version can be deployed.
- Limit local user accounts on affected hosts using least-privilege principles to reduce the population that can reach the vulnerable interface.
- Isolate lab and automation hosts running NI-PAL on dedicated network segments to limit the operational impact of a kernel crash.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
