Description
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.
Published: 2026-04-07
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

NI LabVIEW is vulnerable to a memory corruption flaw caused by an out-of-bounds write when opening a specially crafted .lvlib file. The vulnerability can lead to information disclosure or, more critically, arbitrary code execution if the malicious file is opened by an affected user. This type of flaw permits an attacker to overwrite arbitrary memory locations, potentially allowing execution of attacker‑supplied code within the LabVIEW process.

Affected Systems

All NI LabVIEW installations up to and including 2026 Q1 (version 26.1.0) are affected. This includes earlier 2026 releases as well as all 2026 Q1 patches prior to the final fix. The vulnerability exists in the library file parsing component of LabVIEW and is present in any version that traditionally receives a Q1 update cycle.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the user to open a malicious .lvlib file, implying a typical user‑interfacial or removable‑media vector. The necessity of a user action reduces the likelihood of automated attacks but still poses a significant risk when documents are shared through social engineering or compromised storage media.

Generated by OpenCVE AI on April 13, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NI LabVIEW security update or upgrade to a version released after 2026 Q1 that contains the fix. The most recent update can be downloaded from the NI support portal.
  • Limit the use of .lvlib files by only opening them from trusted sources. Mark or quarantine any unknown .lvlib files before opening, and consider disabling the import function if it is not required for operations.
  • Verify that the updated version includes the specific fix for the out‑of‑bounds write by checking the release notes or patch status.

Generated by OpenCVE AI on April 13, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ni:labview:2023:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch4:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch5:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch6:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch7:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch8:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:-:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q1_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch4:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch5:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2026:q1:*:*:*:*:*:*

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.
Title Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvlib file
First Time appeared Ni
Ni labview
Weaknesses CWE-787
CPEs cpe:2.3:a:ni:labview:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni labview
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ni Labview
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-04-08T03:55:57.909Z

Reserved: 2026-03-16T20:29:24.840Z

Link: CVE-2026-32860

cve-icon Vulnrichment

Updated: 2026-04-07T20:39:34.605Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:24.040

Modified: 2026-04-13T14:55:52.147

Link: CVE-2026-32860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:52Z

Weaknesses