Description
There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.
Published: 2026-04-07
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from an out‑of‑bounds read inside the function sentry_transaction_context_set_operation() in NI LabVIEW, which can lead to memory corruption. The resulting information disclosure or arbitrary code execution can occur if a user opens a maliciously crafted VI file. The impact is severe because it enables a local or remote attacker to execute code with the privileges of the affected user.

Affected Systems

NI LabVIEW is the vendor, with affected releases including 2026 Q1 (version 26.1.0) and all earlier LabVIEW editions up through the 2025 and 2024 releases. The issue applies to all standard builds of the product that include the vulnerable function.

Risk and Exploitability

The CVSS score of 8.5 classifies this as high risk, yet the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Successful exploitation requires a user to open a specially crafted VI file, implying a user‑interaction vector, typically remote. However, because the outcome can be code execution, the potential damage is significant.

Generated by OpenCVE AI on April 13, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NI LabVIEW patch or upgrade to a version released after 2026 Q1
  • Verify that all LabVIEW updates are installed on systems that have accessed or host VI files
  • Configure user access controls to restrict opening of unknown or externally supplied VI files
  • Conduct a review of network traffic to detect any suspicious LabVIEW communications and block if necessary

Generated by OpenCVE AI on April 13, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ni:labview:2023:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch4:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch5:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch6:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch7:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2023:q3_patch8:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:-:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q1_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch4:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2024:q3_patch5:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q1_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch1:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch2:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2025:q3_patch3:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2026:q1:*:*:*:*:*:*

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.
Title Out-of-Bounds Read in sentry_transaction_context_set_operation()
First Time appeared Ni
Ni labview
Weaknesses CWE-125
CPEs cpe:2.3:a:ni:labview:*:*:*:*:*:*:*:*
Vendors & Products Ni
Ni labview
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ni Labview
cve-icon MITRE

Status: PUBLISHED

Assigner: NI

Published:

Updated: 2026-04-08T03:55:55.727Z

Reserved: 2026-03-16T20:29:24.841Z

Link: CVE-2026-32863

cve-icon Vulnrichment

Updated: 2026-04-07T20:38:33.995Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:26.220

Modified: 2026-04-13T14:53:21.223

Link: CVE-2026-32863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:49Z

Weaknesses